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Abstract 

We investigate definitions of and protocols for multi-party quantum computing in 
the scenario where the secret data are quantum systems. We work in the quantum 
information-theoretic model, where no assumptions are made on the computational 
power of the adversary. For the slightly weaker task of verifiable quantum secret 
sharing, we give a protocol which tolerates any t < n/4 cheating parties (out of n). 
This is shown to be optimal. We use this new tool to establish that any multi-party 
quantum computation can be securely performed as long as the number of dishonest 
players is less than n/6. 

This thesis is based on joint work with Claude Crepeau and Daniel Gottesman. 
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Chapter 1 
Introduction 



Secure distributed protocols have been an important and fruitful area of research for 
modern cryptography. In this setting, there is a group of participants who wish to 
perform some joint task, despite the fact that some of the participants in the protocol 
may cheat in order to obtain additional information or corrupt the outcome. When 
we approach distributed cryptography from the perspective of quantum computing, 
a number of natural questions arise: 

• Do existing classical protocols remain secure when the adversary has access to a 
quantum computer? 

• Can we use quantum computing and communication to find new, more secure or 
faster protocols for classical tasks? 

• What new, quantum cryptographic tasks can we perform? 

This research is inspired by the last of these questions. We propose to investigate 
a quantum version of an extensively studied classical problem, secure multi-party 
computation (or secure function evaluation) , first introduced by ||GMW87| . In this 



scenario, there are n players in a network. Each player i has an input Xi, and the 
players want to run a protocol to collectively compute some joint function f(x\, x n ). 
The challenge is that all players would like this function evaluation to be secure. 
Informally, this means: 

1. Soundness and Completeness: At the end of the protocol, all honest players should 
learn the correct function value f(xi, ...,x n ). 

2. Privacy: Cheating players should learn nothing at all beyond what they can deduce 
from the function output and their own inputs. 



Multi-party Quantum Computation For this thesis, we consider an extension of 
this task to quantum computers. A multi-party quantum computing (mpqc) protocol 
allows n participants P\, P2, ■ ■ ■ , P n to compute an n- input quantum circuit in such a 
way that each party Pi is responsible for providing one (or more) of the input states. 
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The output of the circuit is broken in n components Hi (g> . . . <8> H n such that Pi 
receives the output Hi. Some components Hi may be empty. 

Note that the inputs to this protocol are arbitrary quantum states — the player 
providing an input need only have it in his possession, he does not need to know 
a classical description of itQ. Moreover, unlike in the classical case, we cannot as- 
sume without loss of generality that the result of the computation will be broadcast. 
Instead, each player in the protocol receives some part of the output. 

Informally, we require two security conditions as before. On one hand, no coalition 
of t or fewer cheaters should be able to affect the outcome of the protocol beyond 
what influence they have by choosing their inputs. On the other hand, no coalition 
of t or fewer cheaters should be able to learn anything beyond what they can deduce 
from their initial knowledge of their input and from the systems Hi to which they 



have access. We formalize this notion in Section 1.2 



Verifiable Quantum Secret Sharing In order to construct mpqc protocols, we 
consider a subtask which we call verifiable quantum secret sharing. In classical cryp- 
tography, a verifiable secret sharing scheme |CGMA85|1 is a two-phase protocol with 



one player designated as the "dealer". After the first phase [commitment), the dealer 
shares a secret amongst the players. In the second phase [recovery), the players re- 
construct the value publicly. When the dealer passes the first phase of the protocol, 
then 

• Soundness: There is a uniquely defined value s which will be reconstructed in the 
second phase, regardless of any interventions by an adversary who can control no 
more than t players. 

• Completeness: If the dealer is honest, then he always passes the commitment phase 
and the value s recovered in the second phase is the secret he intended to share. 

• Privacy: If the dealer is honest, no coalition of t players can learn any information 
about s. 

The natural quantum version of this allows a dealer to share a state p (possibly 
unknown to him but nonetheless in his possession). Because quantum information is 
not clone-able, we cannot require that the state be reconstructed publicly; instead, 
the recovery phase also has a designated player, the reconstructor R. We require 
that, despite any malicious actions by a coalition of up to t players: 

• Soundness: As long as R is honest and the dealer passes the commitment phase 
successfully, then there is a unique quantum state which can be recovered by R. 

• Completeness: When D is honest, then he always passes the commitment phase. 
Moreover, when R is also honest, then the value recovered by R is exactly D's 
input p. 



^or quantum information, merely having a state in one's possession in not the same as knowing 
a description of it, since one cannot completely measure an unknown quantum state 
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• Privacy: When D is honest, the adversaries learn no information about his input 
until the recovery phase. 

Note that the privacy condition in this informal definition is redundant, by the 
properties of quantum information: any information adversaries could obtain about 
the shared state would imply some kind of disturbance (in general) of the shared 
state, which would contradict the completeness requirement. A formal definition of 



security is given in Section 1.2 



Contributions The results of this thesis are based on unpublished joint work with 
Claude Crepeau and Daniel Gottesman ||CGS01||. In this thesis: 



• We give a protocol for verifiable quantum secret sharing that tolerates any number 
t < n/4 of cheaters. 

• We show that this is optimal, by proving that VQSS is impossible when t > n/4. 

• Based on techniques from fault-tolerant quantum computing, we use our VQSS 
protocol to construct a multi-party quantum computation protocol tolerating any 
t < n/6 cheaters. 

Our protocols run in time polynomial in both n, the number of players, and k, the 
security parameter. The error of the protocols (to be defined later) is exponentially 
small in k. 

Beyond these specific results, there are a number of conceptual contributions of 
this thesis to the theory of quantum cryptographic protocols. 

• We provide a simple, general framework for defining and proving the security of 
distributed quantum protocols in terms of equivalence to an ideal protocol involv- 
ing a third party. This follows the definitions for classical multi-party protocols, 
which have been the subject of considerable recent work [ GL90| , Pea91| , [MR91| , 
|CihTJD| pMpq , |CDD+U1| , [FWnq , [CihTJTl , |vdC97|| . 



The analysis of our protocols leads us to consider various notions of local "neigh- 
borhoods" of quantum states, and more generally of quantum codes. We discuss 
three notions of a neighborhood. The notion most often used for the analysis 
of quantum error-correction and fault-tolerance is insufficient for our needs, but 
we show that a very natural generalization — specific to so-called "ess" codes, is 
adequate for our purposes. 

Along the way, we provide modified versions of the classical sharing protocols 



of ||CCD88|| . The key property these protocols have is that dealers do not need 
to remember the randomness they use when constructing shares to distribute to 
other players. This allows them to replace a random choice of coins with the 
superposition over all such choices. 
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Organization The thesis is organized as follows. Chapter [I] contains the material 
necessary for understanding the protocols of this thesis as well as their context. Sec- 
tion |1.1| describes the previous work on the topics in this thesis, with emphasis on 
the works whose results we use directly. In Section |1.2| , we present a framework for 
defining security of a distributed quantum protocol which involves interaction with a 
trusted third party. We use this framework to formally define both verifiable quan- 
tum secret sharing and multi-party quantum computation. Section |1.3| contains the 
mathematical background for understanding our protocols, as well as results we use 
from the existing literature. In Section |1.4| , we introduce three definitions of the local 
"neighborhoods" of a quantum code, in order to help the reader understand exactly 
what properties our protocols guarantee and what properties are needed in our se- 
curity analyses. Some additional relations between these three notions are shown in 
Appendix |A|. 

The protocols which are the main focus of this thesis are presented in Chapter || 
One of the main proof techniques we use is a "quantum-to-classical reduction" (ter- 



minology due to ||LC99||). In Section 2.1, we illustrate this technique with a simple 



protocol which achieves VQSS for a small number of cheaters (t < n/8), and whose 
analysis will prove insightful for the sequel. Section 2J2 uses a similar technique, but 
applied to a modified version of the classical "verifiable blob" protocol of [ |CCD88 



to construct a VQSS protocol secure against t < n/4 cheaters. In Section p73| , we show 
this is optimal by relating VQSS protocols to error- correcting codes and applying the 
quantum Singleton bound. Finally, we use our sharing scheme to contruct mpqc 
protocol which tolerates any t < n/6 cheaters. 

We conclude with some open questions related to our results (Chapter D). 



1.1 Previous Work 



Classical mpc Most of the work on classical distributed protocols is based on secret 
sharing, in which a message is encoded and shared amongst a group of players such 
that no coalition of t players gets any information at all about the encoded secret, but 
any group of t + 1 or more players can recover the secret exactly. The prototypical 
and most commonly used solution to this is the polynomial sharing scheme due to 
Shamir ||Sha79|| : choose a random polynomial p of degree at most t over Z p (for some 
prime p > n) subject to p(0) = s, where s is the secret being shared. The share 
given to player i is value p(i), for i = 1, n. Note that for normal secret sharing we 
assume that the shares are prepared honestly. 

This assumption was removed in subsequent work: Multi-party computing, in 
which no player may be assumed to be honest, was first treated explicitly by Gol- 
dreich et al. ||GMW87[| , although the subtask of verifiable secret sharing had been 
investigated previously by Chor et al. | |CGM A83[ . Goldreich et al. | |CMW87[ ] proved 
that under computational assumptions, secure multi-party evaluation of any function 
was possible tolerating any minority of cheating players, i.e. for any t < §• 

Subsequently, Ben-Or et al. |[BGW88jl and Chaum et al. ||CCD88|| independently 
proved that tolerating up to t < | was possible without computational assumptions, 
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provided that one assumed that every pair of participants was connected by a secure 
channel. Moreover, this bound is tight due to the impossibility of even agreeing 
on a single bit when t > ~ (see Lynch ||Lyn96|| , for example). The main difference 
between the results of ||CCD88|| and those of [|BGW88|| is that the former allow a small 
probability of error (exponentially small in the complexity of the protocol). 

The bound of | for information-theoretically secure mpc was broken by Rabin 



and Ben-Or ||RB89|| and Beaver [ Bea89|| , who showed that assuming the existence of 



a secure broadcast channel, then one can in fact tolerate any minority (t < f ) of 
cheaters without computational assumptions. Their protocols introduce a small error 
probability, which is provably unavoidable ||RB89|| . The results of ||RB89| , |Bea89|| were 
extended to the model of adaptive adversaries by Cramer et al. [ |CDD + 99 l. 

All of these protocols rely on verifiable secret sharing. Our solution draws most 
heavily on the techniques of |pCD88|| . The essential idea behind their vss protocol 
is to share the secret using a two- level version of the basic scheme of Shamir (above), 
and then use a cut-and-choose zero-knowledge proof to allow the dealer to convince 
all players that the shares he distributed were consistent with a single polynomial 
p(x). 

Beyond these basic protocols, a line of work has focused on coming up with proper 
definitions of multi-party computing fUL^O! , |Eei9Tl , |MK9l , |Oan00| , [DMUq , |ODD + Ul 



PW00| , Can01|| . Both ||Can01|| and [|CDD + 01|| provide summaries of that literature. 
Most of the research has focused on finding definitions which allow composability of 
protocols, mainly focusing on multi-party computing (often referred to, more pre- 
cisely, as secure function evaluation). In this work, we adopt a simple definition 
(based on the initial definitions of Canetti). We do not prove any composition pro- 
tocols, but simply ensure that the definition captures our intuition of security and is 
provably achieved by our protocols. See Section lO for further discussion. 



Multi-party Quantum Protocols Relatively little work exists on multi-party 
cryptographic protocols for quantum computers. Secret sharing with a quantum 
secret was first studied by Cleve, Gottesman and Lo [|CGL99|1 . They suggested a 
generalization of the Shamir scheme, which is also used by Aharonov and Ben-Or 
1 AB99|1 as an error-correcting code. One of the contributions of ||CGL99| was that to 
point out the strong connection between secret sharing and error-correcting codes in 
the quantum setting (see Section |1.3.2|) . Our VQSS protocol is based on the ||CGL99 



scheme, using a modification of the techniques of [ |UCD88| ] to ensure the consistency 
of distributed shares. 

There were some additional works on distributed quantum protocols. Gottesman 
|GotOO|| showed that quantum states could be used to share classical secrets more 
efficiently than is possible in a classical scheme. Chau [ UhaOU|| proposed a scheme 
for speeding up classical multi-party computing using quantum techniques; ||ChaOO 
also mentions the problem of verifiable quantum secret sharing as an open question. 
The dissertation of van de Graaf ||vdG97|| discusses defining the security of classical 
distributed protocols with respect to a quantum adversaries, but contains no con- 
structions. 
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Fault-tolerant Quantum Computing In our proposed solution, we also use tech- 
niques developed for fault-tolerant quantum computing (ftqc). The challenge of 
ftqc is to tolerate non-malicious faults occurring within a single computer. One 
assumes that at every stage in the computation, every qubit has some probability p 
of suffering a random error, i.e. of becoming completely scrambled (this corresponds 
to the classical notion of random bit flips occurring during a computation). More- 
over, errors are assumed to occur independently of each other and of the data in the 
computation. 

One can view multi-party computation as fault-tolerant computing with a different 
error model, one that is suited to distributed computing. On one hand, the mpqc 
model is weaker in some respects since we assume that errors will always occur in the 
same, limited number of positions, i.e. errors will only occur in the systems of the t 
corrupted players. 

On the other hand, the error model of MPQC is stronger in some respects: in 
our setting errors may be maliciously coordinated. In particular, they will not be 
independently placed, and they may in fact depend on the data of the computation— 
the adversaries will use any partial information known about the other players' data, 
as well as information about their own data to attempt to corrupt the computation. 
For example, several ftqc algorithms rely on the fact that at certain points in the 
computation, at most one error is likely to occur. Such algorithms will fail in a model 
of adversarially placed errors. 

Techniques from ftqc are nonetheless useful for multi-party computing. Con- 
siderable research has been done on ftqc. We rely mainly on the techniques of 
Aharonov and Ben-Or [ AB99|| , which were based on those of Shor ||Sho96 |. Using 
"ess" quantum error-correcting codes, Shor showed that fault-tolerance was possible 
so long as the error rate in the computer decreased logarithmically with the size of the 
computation being performed. Aharonov and Ben-Or showed that by using concate- 
nated coding, one could in fact tolerate a constant error rate. They also introduced 
generalized CSS codes in which the individual pieces of a codeword are assumed to be 
higher-dimensional systems, such as collections of several qubits (this corresponds to 
using larger alphabets in classical coding theory). 



Provably Secure (and Insecure) Quantum Protocols While quantum crypto- 
graphic protocols have existed for some time, many of them have been proven secure 
only recently. The first proofs of security appeared in the context of entanglement 
purification protocols [|BBP + 96| , |DEJ + 96| , |LC99| . In a different line of work, Mayers 

|May98|1 provided a notoriously difficult proof that the Bennett-Brassard key distri- 
bution scheme was secure. Unifying these two lines of research, Shor and Preskill 

SPOUjl proved the correctness of the Bennett-Brassard | BB84 | key distribution pro- 



tocol, based on a previous proof of a purification-based protocol due to Lo and Chau 
|[LC99|| . The main insight of ||LC99|| was that in certain situations, proving the secu- 
rity of a quantum protocol could be reduced to classical probability arguments, since 
one could assume without loss of generality that the adversary followed one of a finite 
number of classical cheating strategies (a so-called "quantum-to-classical reduction"). 
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A similar technique is used in | BCG + Ql l to prove the correctness of a scheme for au- 
thenticating quantum transmission. This technique will also be useful for proving the 
soundness of our protocol, as it will allow us deal with possible entanglement between 
data and errors by "reducing" them to classical correlations. 

Note that for protocols where the adversary is one of the participants in the 
system and not an outside eavesdropper, much less is known. Some proofs were 
also attempted for tasks such as bit commitment [ BUJL93 ], but those proofs were 
later discovered to be flawed, since bit commitment was proven impossible [ |May96| , 
CCg7g , |May97| , fC^j |LC97b| , |BCMS98|| . There have also been several works on 
quanutm coin-tossing. Although arbitrarily small error is known to be impossible, 
several works have focused on reducing the error as much as possible [|LC96| , [MS99| , 
ATVYO0| , |AmbOi| . Yet another line of work has focused on how to achieve certain two- 
party tasks using computional assumptions, i.e. assuming that there exist (quantum) 
one-way permutations |pMS00| , |CLS01|| . 
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1.2 Definitions 



This section describes a simple framework for proving the security of distributed 
quantum cryptographic protocols. The defintions are based on the initial framework 
of Canetti ||CanOO|| , as well as on discussions in the dissertation of van de Graaf 



v 



dG97|| . We describe two models for protocols. The first one-the "real" model- 



describes the environment we ultimately expect our protocols to run in. The second 
model is idealized model in which players can interact with an incorruptable outside 
party. We will prove our "real-model" protocols secure by showing that they are 
equivalent to a simple protocol for the ideal model which captures our notion of what 
security means for a given task. 

We provide no general composition theorems in this work. Instead, we simply 
prove the security of our composed protocols directly. 



1.2.1 "Real" Model for Protocols 

For the protocols in this paper, we assume that every pair of players is connected 
by perfect (i.e. authenticated, secret) quantum and classical channels. Moreover, we 
assume that there is a classical authenticated broadcast channel to which all players 
have access. Because we will consider settings where t < - < |, we can also assume 
that players can perform classical multi-party computations ||BGW88| , |CCD88|| p|. 



The adversary is an arbitrary quantum algorithm (or family of circuits) A. We 
make no assumptions about the computational power of the adversary; he is limited 
only by the number of players t that he can corrupt. 

The initial configuration for the protocol is the joint state p of n + 2 quantum 
systems: an input system Zj for each player in the protocol (i = l,...,n), as well 
as the adversary's auxiliary input system X aux and an outside reference system X re f 
(which will remain untouched throughout the protocol). Note that the input can be 
an arbitrary quantum state, possibly entangling all these systems. 

A run of a "real model" protocol begins with all players receiving their input 
system Xj and the adversary receiving the state T aux . The adversary then chooses 
a subset C of size at most t of players to corrupt. From then on, the adversary 
has access to the state of the players in C and controls what they send over the 
channels. The adversary may cause the cheaters' systems to interact arbitrarily. His 
only restriction is that he has no access to the state of the honest players, and cannot 
intercept their communication. The reference system X Te f is untouched during this 
process. 

At the end of the protocol, all players produce an output (for honest players, this 
is the output specified by the protocol). The system output by player i is denoted 0; L . 
Moreover, the adversary outputs an additional system O aux . The output configuration 
for the run of the protocol is the joint state of Oi, O n , the adversary's state O aux 
and the reference system X re j. This state depends on the adversary A and the initial 



2 In fact, even the assumption of a broadcast channel is unnecessary but (since t < but is made 



for simplicity. 
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configuration p, and is denoted Real (A, p). Note that this configuration does not 
include any ancillary states or workspace used by honest players, only the output 
specified by the protocol (i.e. all other parts of the honest players' systems are 
"traced out"). 

1.2.2 "Ideal" Model For Protocols 

The main difference of the ideal model from the real model is that there is a trusted 
third party (denoted TTV) who helps the players in the execution of some protocol. 
The communications model is the same as before, except that every player is con- 
nected to TTV via a perfect (i.e. authentic, secret) quantum channel. There is no 
need to assume a broadcast channel since players can simply give a classical value to 
TTV and ask that it be re-sent to all players. 

As before, the initial configuration consists of n systems 2j containing the players' 
inputs as well as the two systems T aux and T re f. The TTV gets no input. The 
protocol proceeds as in the real model, except that players may interact with the 
TTV ', who may not be corrupted by the adversary. Finally, the output configuration 
is the same as before. The final state of the TTV is not included in the output 
configuration. The output configuration for adversary A and initial configuration p 
is denoted I deal (A, p). 

1.2.3 Protocol Equivalence 

Suppose we have a protocol 7r which is supposed to implement some ideal functionality 
/, that is / is an ideal model protocol and it is an attempt to implement it in the 
real model. 

Informally, we say it implements / if the input/output behavior of n cannot be 
distinguished from that of /. Formally: 

Definition 1 (Perfect security). A protocol ir is considered perfectly secure if for 
all adversaries A\, there exists an adversary A2, running in time polynomial in that 
of A\, such that for all input configurations p (possibly mixed or entangled), we have: 

Real{A\ip) = Ideal(A2, p) 

The protocols we design do not in fact achieve this strong notion of security. 
Instead, they take a security parameter k as input. All players receive the classical 
string l k as part of their input (in the ideal model, so does the TTV). Moreover, the 
inputs may additionally depend on k (in particular, we allow the adversary's auxiliary 
input to depend on k). Since honest players should be polynomial-time quantum 
circuits, the protocol will run in time polynomial in k, although the adversary need 
not. 

Definition 2 (Statistical security). A protocol n is considered statistically secure 
if for all adversaries A\, there exists an adversary A2, running in time polynomial in 
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that of A\, such that for all sequences of input configurations {pk} (possibly mixed 
or entangled) , we have: 

F(Real(l k } A uPk ) } Ideal(l k , A 2 , p k )) >l-2-\ 

where F denotes the fidelity of two quantum density matrices. 

Simulators Our definition asks us to construct a new adversary A2 for every real 
adversary A±. To do so, we will follow the standard cryptographic paradigm of 
constructing a simulator S who uses A± as a black box. Thus we can write A2 = S Al . 
We can view S as an "interface" between the real- world adversary and the ideal-model 
protocol | |vdG97| |: S exchanges messages with A\, but must also control the corrupted 



parties in the ideal-model protocol. 

When A2 is constructed in this way, then the definition above can be restated: 
Suppose that at the end of the protocol the adversary gains access to the outputs of 
the honest players. There should not exist a real-world adversary Ai that can tell 
the difference between (a) a run of the real protocol and (b) a run of the ideal-model 
protocol with S as an interface. We will construct simulators for our protocols in 
Section [2.2.6| and Section [2.4.2. 



1.2.4 Static versus Adaptive Adversaries 

In this thesis, we consider only static adversaries, who choose the parties they will 
corrupt before the beginning of the protocol and remain with that choice. On the 
other hand, an adaptive adversary chooses which players to corrupt as the protocol is 
progressing. The set of corrupted parties is still monotone — we do not allow a player 
to become honest again once he has been corrupted^ — but the adversary can base his 
decision on the message he is seeing in the protocol. For example, if the players were 
to elect a small group of participants to make some decision amongst themselves, an 
adaptive adversary could wait until the selection had been made and then corrupt the 
members of that small group. Proving protocols secure against adaptive adversaries 
has been problematic even in the classical setting | |CFG1N9B| , |(JDD i ~99"| . 



Choosing to handle only static adversaries simplifies the definitions and proofs 
considerably, and offers no real loss of intuition. Nonetheless, we believe that the 
protocols we describe here are secure against adaptive adversaries, assuming that the 
environment in which the protocol is running somehow records which parties were 
corrupted and in what order (it is unclear what adaptivity even means without such 
an assumption). In Section |2.1.2| , we discuss briefly how some of the proofs could be 
extended to handle adaptivity (see Remark f|, p. |38| ). 



3 An adversary who corrupts players dynamically is called a mobile adversary, and protocols for 
handling such adversaries are called pro-active. 
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1.2.5 Multi-party Quantum Computation 

We define multi-party quantum computation by giving an ideal-model protocol for 
that task. Simply put, all players hand their inputs to the trusted party, who runs the 
desired circuit and hands back the outputs. Note that the only kind of cheating which 
is possible is that cheaters may choose their own input. In particular, cheaters cannot 
force the abortion of the protocol. One possible extension of this work is to consider 
protocols where cheaters may not compromise the correctness of the computation but 
might force the protocol to stop before completion (see Open Questions, Chapter |3|). 



Protocol 1 (Multi-party Quantum Computation — Ideal Model). 

Pre: All players agree on a quantum circuit U with n inputs and n outputs (for simplicity, 
assume that the i th input and output correspond to player i). 

Input: Each player gets an input system Si (of known dimension, say p). 

1. (Input Sharing) For each i, player i sends Si to TTV. If TTV does not receive 
anything, then he broadcasts "Player i is cheating" to all players. Otherwise, TTV 
broadcasts "Player i is OK." 

2. (Computation) TTV evaluates the circuit U on the inputs Si. For all i who cheated, 
TTV creates Si in a known state (say |0)). 

3. (Output) 

(a) TTV sends i th output to player i. 

(b) Player i outputs the system he receives from TTV . 

Figure 1-1: Protocol [I] (Multi-party Quantum Computation — Ideal Model) 



1.2.6 Verifiable Quantum Secret Sharing 

Providing a definition verifiable quantum secret sharing is trickier than it is for multi- 
party computing. The idea of the ideal protocol is simple. In the sharing phase, the 
dealer gives his secret system to the trusted party. In the reconstruction phase, the 
TTV sends the secret system to the reconstructor R. 

However, a problem arises because VQSS is a two phase task, and the formalism we 
established in the preceding sections only describes one-phase protocols, which have 
a simpler input/output behaviour. For example, if all we required of VQSS is that 
the reconstructor's output be the same as the dealer's input, we could simply have 
D send his secret system to R without violating the definition — a clear indication 
that such a definition would be insufficient. For the purposes of this thesis, we adopt 
a simple modification of the definition of the preceding sections which allows us to 
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describe VQSS: instead of giving all inputs to the parties at the beginning of the run 
of the protocol, some inputs are not given to the parties until the beginning of the 
reconstruction phase. 

Specifically, two of the inputs are delayed. First, players learn the identity of the 
reconstructor R only at the beginning of the reconstruction phase (note that this 
doesn't stop the adversary from knowing R since the definition requires security for 
all adversaries and input sequences). Second, the adversary also receives a second 
auxiliary input I a u X at the beginning of the reconstruction. This allows us to capture 
any side information gained by the adversary during interactions which occur between 
the end of the sharing phase and the beginning of the reconstruction phase. 

The ideal-model protocol we obtain is given in Figure |1-2| . The definition of 
security we will use for this two-phase model is essentially the same as for the one- 
phase model. An input configuration p consists of player identities D and R, a 

(2) 

secret system S and the two auxiliary inputs X aux and Taux- We require that for 
all adversaries Ai, there exists an adversary Ai such that for all sequences of input 
configurations {pfc} fcgN , the fidelity of the output of the real protocol to the output of 
the ideal protocol is exponentially close to 1. 



Protocol 2 (Verifiable Quantum Secret Sharing — Ideal Model). 

• Sharing Phase: 

1. Inputs: All players get D's identity. Dealer D gets a qupit S (i.e. a p-dimensional 
system, where p is a publicly agreed-upon integer). 

(Adversary also gets his auxiliary input T aux .) 

2. D sends the p-dimensional system S to TTV . If D fails to send S, then TTV 
broadcasts "D is cheating" to all players. Otherwise, TTV broadcasts "OK" . 

• Reconstruction Phase: 

1. Inputs: All players get R's identity. 

(Adversary also gets his second auxiliary input Taux-) 

2. If D did not cheat in the sharing phase, TTV sends S to the receiver R. 



Figure 1-2: Protocol |2| (Verifiable Quantum Secret Sharing — Ideal Model) 
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1.3 Mathematical Preliminaries 



We assume that the reader is familiar with the basic notation and formalism of quan- 
tum computing. For an introduction, the reader should refer to a textbook such as 



Nielsen and Chuang [NCOO 



For most of this paper, we will work with "qupits" , that is p-dimensional quantum 
systems, for some prime p. It is natural to view the elements of the field F = Z p as 
a basis for the state space of a qupit. 

In our settings, it will be useful to choose p so that n < p. We need not choose p 
very big for this, since there is always a prime between n and 2n. However, all of our 
protocols will remain polynomial time even when p is exponential in n. That is, the 
complexity of the protocols will be polynomial in log 1^1 = log p. 

Just as for the case of qubits, there are a few natural operators on qupits which 
we will use extensively in this paper. 

The shift and phase operators for qupits (sometimes denoted a x , a z ) are defined 
analogously to the case of qubits: 

X\a) (—> | a + 1 mod p) and Z\a) i— > w a \a), 

where u = e 2nl ^ p . These two operators generate the Pauli group. Since they have a 
simple commutation relation [XZ = ujZX), any element of the group is proportional 
to some product X X Z Z for x, z e {0, ...,p — 1}. As for qubits, the p 2 operators X X Z Z 
form a basis for the space of p x p complex matrices, and so any unitary operator on 
qupits can be written as a linear combination of Pauli matrices. In particular, this 
is useful since means that correcting Pauli errors in a quantum code is sufficient for 
correcting arbitrary errors. In the context of errors, X is called a shift error and Z 
is a phase error. 

For registers of qupits, the Pauli matrices are tensor products of Pauli matrices 
acting on individual qupits. If x = (xi, x n ) and y = (yi,...,y n ) are vectors in 
Zp, then X X Z Z denotes X Xl Z Zl eg) • • • ® X Xn Z Zn . These form a basis for the space of 
operators on the register. The set of positions on which a Pauli matrix does not act 
as the identity is called its support, and is equal to the union of the supports of x and 
z. The number of such positions is called the weight of the operator. 



Fourier Rotations Another transformation which arises often is the Fourier trans- 
form on qupits, which generalizes the Hadamard rotation on qubits. 

F\a) i-> ^u ab \b) 

This is called a Fourier rotation since its effect on the p-dimensional vector of coeffi- 
cients of the state of a qupit is exactly that of the Fourier transform over the group 
Z p . Consequently, phase changes become shifts in this new basis, and conversely: 

TX = ZT and TZ = X~ X T 
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A useful property of the Fourier transform is that linear transformations remain 
linear after the change of basis. Specifically, let V be an invertible n x n matrix over 
Z p . Let V denote the corresponding unitary operator on a register of n qupits, i.e 
\^|x) = |Vx). Then in the Fourier basis, this looks like a different linear map, given 

by the matrix (V _1 ) T . That is TV T~ l = {V~*Y). 

The main feature we will use is simply that the transformation remains a linear 
permutation of the basis vectors. There is one very useful special case. For controlled 
addition (denoted c-X), which maps \a, b) i— > \a, a + b), conjugating by a Fourier 
rotation yields another controlled-addition, applied in the opposite direction and with 
a scaling factor of —1 (i.e. \a, b) \— > \a — b,b)). 



1.3.1 Quantum Error-Correction 

A quantum error-correcting code is a way of encoding redundancy into quantum 
information to allow correction of errors which occur during transmission or storage. 
An [[n, k, d}} quantum code encodes k qubits into n qubits (for n > k) and corrects any 
(arbitrary) error which affects less than ^ positions in the code. The most resilient 
quantum codes actually work over higher-dimensional subspaces, i.e. each "position" 
in the code consists of a qupit. Recall that we work with qupits of dimension p, where 
p is some prime greater than n. 



Css Codes An important family of quantum codes are the CSS codes (due to 
Calderbank-Shor |CS96|1 and Steane |Ste96|1 ). A CSS code over n qupits is defined 



by two classical linear codes V and W over Z p , both of length n. They are chosen 
such that V 1 - C W, where V x is the dual of V with respect to the standard dot prod- 
uct v ■ w = J2i=i v i w i- Note that we automatically also have W 1 - C V. The quantum 
code C is then the set of states \ip) which would yield a codeword of V if they were 
measured in the computational basis ({|0), |1), \p — 1)}), and yield a codeword of 
W if they were measured in the Fourier basis ({JF|0), T\p — 1)}). 

Now for any given system of n qupits and any linear subspace W < F n , we define 

= span{|w) : w G W}. 

If we denote by J r ® n the parallel application of T to all qubits of an n-qubit register, 
then we have: 

c = v {q) n FW {q) 

The dimension of C as a code, i.e. number of qupits it can encode, is simply 
dim(l / /W /_L ) = dimV — dimly- 1 . For convenience, we will denote Vq = W 1 - and 
Wq = V x , and so the formula for the number of qupits encoded becomes dimV — 
dim Vq = dim W — dim Wq. 



Minimum Distance To correct an arbitrary error on a subset A of positions (A C 
{1, ...,n}), it turns out that it is sufficient (and necessary) to be able to correct Pauli 
errors, i.e. compositions of shift and phase errors applied to the qupits in A. Thus, 
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to correct errors on any t positions it suffices to correct all Pauli errors of weight at 
most t. A sufficient condition is that the spaces {EC} be mutually orthogonal, where 
E ranges over all Pauli operators of weight at most t. In such a case, one can correct 
any of these errors i?ona codeword \ip) by performing a measurement that identifies 
which of these subspaces contains the corrupted codeword E\i(>), and then applying 
the correction E~ x . This can be rephrased: for all Pauli operators of weight at most 
2t, EC and C should be orthogonal spaces. The minimum distance of a quantum code 
C is thus the weight of the smallest Pauli operator for which this is not true. 

Definition 3. The minimum distance of a quantum code C is the weight of the small- 
est Pauli operator such that C and EC are not orthogonal. 

By the previous discussion, a code with distance d can correct arbitrary errors 
on any [(d — l)/2j positions. For CSS codes, there is a simple way to calculate the 
minimum distance: 

Fact 1.1. Let V,W be classical codes with minimum distances d\ and d 2 such that 
V ± CW. Then the quantum CSS code C = V {q) n FW {q) has minimum distance at 
least min(di, d 2 ). 

Syndromes and Error Correction Given a classical linear code V of dimension 
k, the syndrome for V is a linear function from n bits to n — k bits that indicates 
which coset of V contains its argument. If V has distance at least 2i + 1 and a 
codeword v 6 V is altered in t or fewer positions, then the syndrome of the corrupted 
word v + e allows one to compute the correction vector — e. We will let ^-syndrome 
denote the syndrome with respect to V. Note that computing the ^-syndrome is 
easy. Fix a basis {v 1; v n _ fc } of the dual code V^. The K-syndrome of w is the 
vector (vi • w, v n _ k ■ w). 

This is the basis for the error correction procedure for CSS codes. Suppose that 
E = X*Z Z , and both x and z have support on at most t positions. Let \ip) G C. Since 
\ib) lies in V {q \ measuring the ^/-syndrome of E\ip) (in the computational basis) allows 
one to compute the vector x, and apply the correction X~ x . Similarly, measuring 
the P^-syndrome in the Fourier basis allows one to compute z and apply Z~ z , thus 
recovering \ip). The two measurements commute, so in fact it does not really matter 
which one is applied first. 

The pair of measurement results used, namely the V^-syndrome in the computa- 
tional basis and the M^-syndrome in the Fourier basis, are referred to together as the 
quantum syndrome. If the syndromes are S\ and s 2 pits long respectively, then there 
are p Sl+S2 possible quantum syndromes. This divides the whole space C z p into p Sl+s ' 2 
orthogonal subspaces indexed by the set of equivalence classes of Pauli operators. 
That is, two Pauli operators E, E' are deemed equivalent if EC = E'C; and the space 
C z p can be written as the direct sum of the orthogonal spaces {EjC}j < - J , where J is 

4 In fact, the minimum distance of C is the minimum of the weights of the lightest vectors in 
V — Vo and W — Wq . These are bounded below by the minimum distances d\,d2, and the bound is 
tight for the codes used in this paper. 
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a set of indices which contains exactly one element from each equivalence class. For 
a CSS code, two Pauli operators X*Z Z and X* Z z will be equivalent if and only if x 
and x' are in the same coset of V, and z and z' are in the same coset of W. 
Note that the dimension of the code can also be written as n — s\ — S2- 



Quantum Reed-Solomon Codes In this work we will use a family of CSS codes 
known as "quantum polynomial codes" or "quantum Reed-Solomon codes". These 



were introduced by Aharonov and Ben-Or [ AB99|| , and generalize classical Reed- 
Solomon codes. 

In this paper, we will specify a quantum RS code by a single parameter S < 
(n — l)/2, which represents the degree of the polynomials used in the code. The 
corresponding code C will encode a single qupit and correct t = I |J errors. For 
simplicity, choose <5 = 2t. We will always choose the number n of players to be either 
25 + 1 or 35 + 1. 

If n is the number of players, choose any p such that p > n (Q). We will work 
over the field F = 7L V . The classical Reed-Solomon code V s is obtained by taking the 
vectors 

q = (g(l),g(2),... , g(n)) 

for all univariate polynomials q of degree at most S. The related code V S is the subset 
of V s corresponding to polynomials which interpolate to at the point 0. That is: 

V s = {q : q G F[x] : deg(g) < <5} 

V S = {q : deg(g) < 5 and q(Q) = 0} C V s 

The code V s has minimum distance d = n—5. Moreover, errors (up to |_(n — 5 — 1)/2J 
of them) can be corrected efficiently, given the syndrome of the corrupted word. 

Note that by the non-singularity of the Vandermonde matrix (i.e. polynomial 
interpolation), there exists a vector d = (di, . . . , d n ) e F n such that d T f = /(0) for 
any / G F[x] and deg(f) < n. 

Fact 1.2. Let 5' = n — 5 — 1. The duals of the codes V s , Vq are 

W 5 ' = (V Y = {(d iq (l),...,d n q(n)): deg(g) < 5'} 

Wg = (VY = {{d iq {l),...,d n q{n)): deg(g) < 5' and <?(0) = 0} 

Thus the dual of a Reed-Solomon code of degree 5 is another RS code with degree 5' , 
but where each component has been "scaled" according to some constant di. One can 
also show that di ^ for all i. 

The code C for parameter 8 (occasionally written C 5 ) is the CSS code obtained 
from codes V = V s and W = W 5 . As mentioned before, it encodes a single qupit 
since dim V = 5 + 1 and dim W L = 5. Moreover, the minimum distance of V is n — 5 
and the minimum distance of W is 8 + 1. Thus, for 5 < {n — l)/2 we get that the 
minimum distance of C is at least (5 + 1, and it corrects at least t = 5/2 errors. 



3 In fact, the construction can be changed to allow p = n. 



26 



The encoding we obtain can be described explicitly. 
S and q(0) = a}. Then for any qupit in a pure state 
version is (ignoring normalization constants): 



Let V b a = {q : deg(g) < 
= J2aeF a a\ a )i the encoded 



£W) = ^2a a £\a) = ^a a ^ |v) = ^ 



a, 



a 




q:deg(q)<5, q(0)=a 



Note that the circuit for encoding is very simple: consider the linear map which 
takes the coefficients of a polynomial of degree at most 5 and maps it to the vector 
q(l), ...,q(n). Then placing \ip) in the position of the constant coefficient and ini- 



Correction, Detection and Erasures As mentioned above, the classical RS codes 
have efficient decoding algorithms for identifying and decoding the maximum number 
of errors which is information-theoretically possible, i.e. t where d — 2t + 1 is the 
minimum distance. Consequently, so do the quantum polynomial codes, since for CSS 
codes one simply corrects errors in each of the two bases. 

They can also detect up to 2t errors, at the expense of correction. Simply measure 
a received codeword to see if its syndrome is 0. If a non-zero Pauli operator of weight 
less than d has been applied to the word, the syndrome will be non-zero, and the 
error will be detected. For an arbitrary error of weight less than d, the projection of 
the corrupted word onto the code will be exactly the original codeword. 

Remark 1. In some of our protocols, we will want to detect a large number of errors, 
but still be able to correct a small number. Suppose that we have identified b positions 
which are known to be corrupted (for example, say they have been erased). Then the 
quantum polynomial code will be able to identify t further errors, and will able to 
correct them if there are at most t — b. 

(That is, the punctured code (i.e. restricted to the n — b non-erased positions) 
has distance 2t + 1 — b. Given a corrupted word, one can tell if it is within t — b of a 
codeword, and correct such errors. If it is not within distance t — b of a codeword, then 
more errors occurred. However, as long as less than t errors occurred, the corrupted 
word will not be within t — b of anything but the correct codeword, since t + (t — b) 
is less than the new minimum distance). 

1.3.2 Sharing Quantum Secrets and (No) Cloning 

One of the fundamental theorems of quantum information theory is that an arbitrary 
quantum state cannot be cloned. In fact, one can say more: if there is a process with 
one input and two outputs, then if one of the outputs is a copy of the input, the 
other output must be independent of the input. We're not sure to whom this result is 
attributable but it has certainly become folklore. 
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Fact 1.3 (No cloning, folklore). Let U : Ji m ®'Hw — > 'Ha'^'Hb (Qj be a unitary 
transformation such that for all G Ti ri 



tf(IVO®|w» = |V>>®lvW 

where \W) is some fixed auxiliary state (work bits). Then \(p\^)) does not depend on 

IV>>- 

An important consequence of this was first pointed out by Cleve, Gottesman and 
Lo ||CGL99|| : any quantum code is a scheme for sharing quantum secrets: A distance d 



code can correct d — 1 erasures, and so access to any n — d+1 (uncorrupted) positions 
suffice to recover the encoded state; on the other hand, that means that any set of 
d—1 positions must reveal no information at all about the encoded state. That is, 
the density matrix of any d—1 positions is completely independent of the data. 

Note that this phenomenon has no simple classical analogue: any position of a 
classical error-correcting code will leak information about the data unless the encoding 
process is randomized. This additional step is not necessary in the quantum setting 
since the randomness is somehow "built in." 



1.3.3 Tools from Fault-Tolerant Quantum Computing 

In our proposed solution, we also use techniques developed for fault-tolerant quan- 
tum computing (ftqc). The challenge of ftqc is to tolerate non-malicious faults 
occurring within a single computer. One assumes that at every stage in the computa- 
tion, every qubit has some probability p of suffering a random error, i.e. of becoming 
completely scrambled (this corresponds to the classical notion of random bit flips oc- 
curring during a computation). Moreover, errors are assumed to occur independently 



of each other and of the data in the computation. See Section for a discussion 



of the difference between ftqc and mpqc. In this section, we review a number of 



useful results from ftqc. These come from [5ho9€, AB99, GC99| 



Universal Sets of Gates The usual technique behind fault-tolerant computing 
(both classical and quantum) is to design procedures for applying one of a small 
number of gates to logical (i.e. encoded) values, without having to actually decode 
the values and then re-encode them. That is, given the encoding state we want 
a simple procedure which returns the encoding of state U\ip). 

Thus, it is useful to find a small set of gates which is universal, i.e which suffices 
to implement any desired function^. One can then simply design fault-tolerant pro- 
cedures for implementing these gates, and compose them to obtain a fault-tolerant 
procedure for any particular function. 

6 Note that in fact the mW system and the AB system are one and the same. The two labelings 
simply reflect a different partitioning of the system. 

7 In fact, it is impossible to find a finite set which can implement any unitary operation perfectly. 
However, one can approximate any unitary operation on a constant number of qubits to accuracy e 
using 0(poly log -) gates from a "universal" set, i.e. one which generates a group which is dense in 
the space of all unitary operators. 
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For qupits of prime dimension p, Aharonov and Ben-Or | AB99 ] showed that the 
following set of gates is universal: 

1. Generalized NOT (a.k.a. X): V c G F, \a) \ — > \a + c), 

2. Generalized CNOT (Controlled Addition): \a,b) i — > \a,a + b), 

3. Swap \a)\b) i — > 

4. Multiplication gate: ^ c £ F: |a) i — > |ac), 

5. Phase Shift (a.k.a. Z): Vc G F |a) i — > w ca \a), 

6. Generalized Hadamard (Fourier Transform): \a) i — > ^= SfteF^™ 6 ^)''^) < r < £>• 

7. Generalized Toffoli: |a)|6)|c) i — > |a) |6) |c + a&), 

Beyond these, in order to simulate arbitrary quantum circuits one should also be 
able to introduce qupits in some known state (say |0)), as well as to discard qupits. 
Note that these are sufficient for simulating measurements, since one can simply apply 
a controlled- not with a state |0) as the target and then discard that target. 

Transversal Operations Fortunately, several of these gates can be applied transver- 
sally, that is using only "qupit-wise" operations. These are important since they 
correspond to operations performed locally by the players in a multi-party protocol, 
if each player shares has one component of an encoded state. 

For example: in any CSS code, the linear gate \a, b) i — ► \a, a + cb) can be applied 
to two encoded qupits by applying the same gate "qupit-wise" to the two codewords. 
For any CSS code, the gates [l] through [| from the set above can be implemented 
transversally ||Sho96| , [AB99| . 



Remark 2. Another operation which can almost be performed transversally is mea- 
surement in the computational basis. The encoding of a classical state \s) in a CSS 
code is the equal superposition of all the words in some particular coset of Vb = W 1 - 
within V. Thus, measuring all the qupits of the encoding of \s) will always yield 
a codeword from that coset. Similarly, measuring all the qupits of the encoding of 
^ s a s |s) will yield a word from the coset corresponding to s with probability \a s \ 2 . 
This operation is not quite transversal since after the qupit-wise measurement, the 
classical information must be gathered together in order to extract the measurement 
result. Nonetheless, the quantum part of the processing is transversal, and this will 
be good enough for our purposes. 

Transversal Fourier Transforms and the Dual Code In general, applying the 
Fourier transform transversally to a codeword from a CSS code C does not yield a 
word from that code. Instead, one obtains a word from the "dual code" C. If C is 
defined by the classical codes V and W, then C is the CSS code obtained using the 
codes W and V. A natural choice of encoding for the dual code yields the following 
relation: 
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where £c and £ c s' are the encoding operators for C and C 5 ' respectively. 

For polynomial codes of degree 5, recall that there is related degree 8' = n — 8 — 1. 
As one can observe from the dual codes W s , Wq , the dual code C s is a "mangled" 
version of the code C s . In fact, by scaling each Fourier transform with the (non-zero) 
factor di, one obtains: 

Note that when n is exactly 25 + 1, the codes C 5 and C 5 ' are the same, and so the 
Fourier transform on encoded data can in fact be applied transversally: T A £cA' l l ) ) = 
£ cs (Jty)). 



Transversal Reductions to Degree Reduction for 5 < n/3 As mentioned 
above, the only operations that cannot, in general, be performed transversally on 
Reed-Solomon codes are the Fourier transform and Toffoli gate. However, when 5 is 
less than n/3, [|AB99|| reduces both of them to the problem of degree reduction, which 



involves mapping the encoding of \ip) under the dual code Cg> to the encoding of \ip) 
under the original code Cs- 

For the Fourier transform, the reduction is obvious: we showed above that by per- 
forming (scaled) Fourier transforms transversally to £c s \ip), one obtains Sc., (J 7 ] 1 ^)). 
Thus, performing degree reduction would produce £ Cs (Flip)), which is the desired 
result. 

For the Toffoli gate, note that 5 < n/3 implies that 5' = n — 5 — 1 is at least 
25. The underlying idea is simple: suppose we have three polynomials p, q, r of 
degree such that p(0) = a,q(0) = b and r(0) = c. Take the polynomial r' given by 
r'(i) = r(i) +p{i)q{i) for all i = 1, n. First, note that if p, q have degree at most 5 
and r has degree at most 5' > 25, then deg(r') < 5'. Moreover, if p,q,r are random 
polynomials subject to the above constraints, then p, q, r' will also form a random 
triple of polynomials, which interpolate to the values a,b,c + ab. 

To map this to a procedure for implementing the Toffoli gate, suppose that we 
have the encodings of \a) and \b) using the code C s . Suppose that we also have the 
encoding of |c) using the related code C s . By applying the Toffoli gate qupit-wise, 
we obtain the encoding of c + ab under the related code: 

£ c s\a)£ c s\b)£ c s'\c) i — > £ c s\a)£ c s\b)£ c s'\c + ab) 

Thus, to implement the Toffoli gate fault-tolerantly it is sufficient to have an 
implementation of the two maps ^c 5 !^) 1 — * ^c 5 '!^) an d £c 5 'lV ; ) 1 — > £c s \i J )- Note 
that this is equivalent to having a procedure for just one map £ c s>\(fi) i — > S c s\(f>), 
since one can simply apply the Fourier transform first and its inverse afterwards to 
reverse the direction. 



Implementing Degree Reduction The circuit we use for degree reduction is due 
to Gottesman and Bennett ||Got|| (based on ||GC99|| ), and is much more efficient than 
the original one proposed in AB99|| . Begin with the state to be transformed (call this 
system Hi) and an ancilla in state Scs\0) (called T^)- 
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1. Apply controlled addition from Hi to 7i 2 - 

2. Apply the scaled Fourier transform transversally to Tii. 

3. Measure T~Li in the computational basis, obtaining b. 

4. Apply a conditional phase shift with scaling factor —b to H.2- 

The effect of this on the basis state £c\ a ) (f° r a £ ^p) i s: 
£ c |a)£ c ~|0) i-> £ c |a)<%|a) ^ ^w^l^fcl ) 

h- > c t ; ab £' c j|a)(with b known) i— > £(j|a) 

This procedure in fact works for arbitrary linear combinations (intuitively, this is 
because the measurement result b yields no information about a). 

Note that this entire procedure can be performed transversally except for the 
measurement step. However, as noted above (Remark |2|), measurement requires only 
classical communication between the components (namely, each component is mea- 
sured and the classical decoding algorithm for the code V s is applied to the result). 

1.4 Neighborhoods of Quantum Codes 

One of the ideas behind classical multi-party computing protocols is to ensure that 
data is encoded in a state that remains "close" to a codeword, differing only on those 
positions held by cheaters, so that error correction and detection can be used to 
correct any tampering, or at least detect it and identify its origin. 

For classical codes, the notion of closeness is clear: the set of positions on which 
a real word v differs from a codeword provides a lot of information; in particular, the 
size of this set is the Hamming distance of v from the code. As long as the minimum 
distance of the code is at least 2t, ensuring that v differs from a codeword only on 
the positions held by cheaters means that any errors introduced by cheaters will be 
correctable. 

Given a set B of cheaters (B C {1, n}), we define: 

Wb = {v : 3w G W s.t. supp(v — w) G B} 

= {v : 3w G W s.t. v differs from w only on positions in B} 

Equivalently, one can define Wb as the set of words obtained by distributing a 
(correct) codeword to all players, and then having all players send their shares to 
some (honest) receiver/reconstructor. 

Remark 3. Vb is a linear code, and its dual is exactly the set of words in V x which 
have support included in the complement of C (say A = {1, n} \ B). In particular, 
this means that if one wants to measure the Vg-syndrome, one only needs access to 
positions in A. 
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For quantum codes, the situation is more complex. For a CSS code C, there is 
more than one natural definition of the neighborhood corresponding to a set B of 
positions. Let H = Hi <8> • • • <8> H n be partitioned according to two sets A, B, so that 
H = Ha <£> Hb- We consider three definitions of an "^-neighborhood" of C. Let p be 
an arbitrary state of H. 

For a mixed state given by density matrix p', we say p' is "in" C if all states in the 
mixture lie in C (no matter how the mixture is written). Algebraically, this is given 
by the condition Tr(Pcp') = 1 where Pq is the projector onto the subspace C.f\ 

1. p differs from a state in C only by some super-operator local to B: 

N B {C) = {p : Bp' in C, 30 super-operator, acting only on Hb s.t. p = O(p')} 

2. p is cannot be distinguished from a state in C by looking only at positions in A. 
Algebraically, this is captured by requiring that the density matrix obtained by 
"tracing out" the positions in B be the same as for some state in the code (the 
notation ST stands for "same trace"): 

ST B (C) = {p : 3p' in C s.t. Tr B (p) = Tr B (p')} 

3. Specifically for CSS codes, one could simply require that the state p pass checks on 
A in both bases, i.e. that measuring either the Ve-syndrome in the computational 
basis, or the W^-syndrome in the Fourier basis, would yield the result 0. The set 
of states which pass this test is: 

C B = n F® n W ( B g) . 

These notions form a hierarchy, namely N B (C) C ST B (C) C C B . (The first inclu- 
sion holds since super-operators local to B do not change the density matrix of the 
components in A. The second inclusion holds since the outcome distribution of any 
tests local to A is determined entirely by Trg(p).) However, the three notions are 
distinct and in fact only one of them — notion (|3|) — always describes a linear subspace 
of H. We discuss these three notions further in Appendix 0. 

In the analysis of quantum error-correction and fault-tolerance protocols, it is 
sufficient to consider notion (|IJ). This stems from two reasons. On one hand, one 
starts from a correctly encoded state. On the other hand, the errors introduced by 
the environment will be independent of the encoded data (and in fact they must be 
for error-correction to be possible at all in that context). 

In our setting, however, we cannot make such assumptions, since the cheaters 
might possess states which are entangled with the data in the computation, and so 
the errors they introduce will not be independent of that data. Instead, the main 



8 To see why this is the case, write p' = X^PilV'iXV'il with (ipi\ipj) = 5ij and J2iPi — !• Then all 
the \ipi)'s are in C if and only if (ip^Pc^i) = 1- Taking the trace over the matrix Pep yields 1 if and 
only if this condition holds. 
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contribution of this paper is the construction of protocols which guarantee conditions 
similar to (§) above. In Section 2.1 , we illustrate the ideas with a simple protocol, 
dubbed subspace projection, which is sufficient for VQSS and mpqc when t < n/8. 
In Section |27|, we give a VQSS protocol tolerating t < n/4, and we show that this 
tolerance is optimal in Section |2.3| . Finally, in Section |2.4j , we show how to ensure 
condition (|3|) above and how the techniques from fault-tolerant computing can then 
be used to achieve multi-party computation of an arbitrary quantum circuit when 
t < n/6. 



1.4.1 Well-Definedness of Decoding for States in Cb 

In this section we prove a property of Cb which will be useful in the proof of security 
(and hopefully also provide some intuition for our construction). 

Suppose that the minimum distance of C is d > 2t + 1, and B is restricted in size: 
\B\ < t. Then applying the usual decoding circuit for C without knowing exactly 
where B is yields the same result as applying an ideal interpolation circuit which first 
discards positions in B and then reconstructs the logical data as if it was handling 
a regular codeword. Formally, there are two natural "reconstruction operators" for 
extracting the secret out of a state which has been shared among several players. 

1. T> is the decoding operator for the error-correcting code C. For any operator Ej 
of weight less than t and for any state |0) in C, we have T>Ej\4>) = \<f>) <S> \ j) (i.e. 
the error is not only corrected but also identified). It will then discard the system 
containing the syndrome information 

2. TZ 1 is the "ideal recovery operator" , defined by identifying the set B of cheaters and 
applying the simple interpolation circuit to a set of n — It good players' positions. 



Proposition 1.4. For any state p inCs where \B\ < t, the statelZ 1 \p) is well-defined 
and is equal to T>(p). 

We give the proof of this below. For now, note that Proposition |1.4| means that no 
changes made only to the components in B — no matter how they might be made to 
interact with outside systems entangled with the data — will change the reconstructed 
state. 

In order to prove Proposition |1.4| , we characterize Cb algebraically: 

Lemma 1.5. Suppose that p has fidelity 1 to C B = V^ q) n F® n W B q) . Then we can 
write 

P = Y.iPi^i)^ 

where Ej are Pauli operators on B and \4>ij) G C. 

Recall that given a state p, testing if p is in is easily described: For each 
element of (a basis of) the dual space Vg, we measure the corresponding linear 
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combination of the qupits of p in the computational basis, and check that it is 0. 
Recall that the vectors of the dual space V B have support only on A (since arbitrary 
changes to positions in B should not affect whether or not a word is in Vb), and so one 
need not have access to the components in A in order to perform the measurement. 
Similarly, to check if p is in we rotate into the Fourier basis and measure 

the linear combinations corresponding to a basis of Wq. 

Note that since C V L and Wq C W x , and since measuring the ^-syndrome 
in the computational basis commutes with measuring the jy-syndrome in the Fourier 
basis, we know that the following four measurements commute: 

1. Vg-syndrome in the computational basis 

2. V-syndrome in the computational basis 

3. Vt^-syndrome in the Fourier basis 

4. jy-syndrome in the Fourier basis 



Proof (of Lemma |1.5| ): As was just mentioned, to check if p is in Cb, we measure 
the Vs-syndrome in the computational basis and the W^-syndrome in the Fourier 
basis. But by the remarks above, the distribution on this outcome measurement 
will not change if we first measure the V and W syndromes, i.e. if we first make 
a measurement which projects p into one of the subspaces Efi (i.e. p maps to 
p' = PjpPj with probability Tr {Pjp), where Pj is the projector for the space EjC). 

The new state p' lies completely in one of the spaces Ej. However, EjC is either 
contained in Cb (if there is an operator equivalent to Ej which acts only on B) or 
orthogonal to Cb (if no such operator exists). 

Thus, for p to have fidelity 1 with Cb, it must be that Tr {Pjp) = for all Ej 
which act on more than B. Hence p is a mixture of states \ipi) each of which is a 
linear combination of elements of the spaces {EjC}, where Ej acts only on B. □ 



Proof (of Proposition |1.4| ): Consider a particular basis state EjS\a). The decoding 
operator T> will produce the state |a)|j), since errors of weight at most t can be 
identified uniquely. The ideal operator VJ will extract the encoded state \a). Without 
loss of generality, the ideal recovery operator will replace \a) with |0), the final output 
| a) ®Ej£\0). 

In both cases, the output can be written as \a) tensored with some ancilla whose 
state depends only on the syndrome j (and which identifies j uniquely). Once that 
state is traced out, the outputs of both operators will be identical. Another way to 
see this is that the ideal operator can simulate the real operator: one can go from the 
output of the ideal operator to that of the real operator by applying a transformation 
which only affects the ancilla. For a state p expressed as in Lemma [L5|, the final 
outcome will be p' = ^«Pj| c ij| 2 |0jj)(0ijl- D 
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Chapter 2 

Distributed Protocols for Quantum 
Computers 



2.1 Subspace Projection 

Before presenting the main VQSS protocol, we describe a protocol for a simpler task 
that we call subspace projection, which illustrates the key ideas in the VQSS protocol. 
Namely, we first modify a classical protocol of [|CCD88|1 so that the dealer does not 



have to remember the random bits he used in sharing his secret. Second, we apply 
this protocol both in the computational and Fourier bases. We use a "quantum-to- 
classical" argument to show that this garantees that the joint state shared by the 
players satisfies condition (3) from the discussion on neighborhoods, i.e. that the 
joint state passes certain local checks in both bases. 

Recall that for any given system of n qupits and any linear subspace W of F n = Z™, 
we define 

W (q) = span{|w) : w G W}. 

For this protocol, W can be any code with minimum distance 2t + 1 and an efficient 
decoding algorithm. However, for concreteness, let W be the RS code V s , where 
n = At + 1 and 5 = It. 

Let Tto, • • • , 7~Ck be separate quantum systems consisting of n qupits each, and let 
TC = Ti-o <8> ■ • ■ <E> l~tk- Say the dealer prepares Tt in some state and gives the ith qupit 
of each subsystem Tij to player i. He wants to prove to the group that in fact the 
fidelity of H,q to the space WW is close to 1 without revealing any information 
beyond that to the other players. What we achieve in this first step is not quite that 
strong: at the end of the protocol, there will be a publicly known set B of "apparent 
cheaters" such that the shares of the honest players not in B will all agree with W 
in the computational basis, i.e. will have high fidelity to the space W^ c . 

We obtain a "cut-and-choose" protocol, also similar to the "random hashing" 



1 It would be desirable to be able to prove that the fidelity is in fact exactly 1. This remains 
an interesting open question. This corresponds to the classical difference between zero-error and 
small-error protocols. 
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technique used in purification protocols (Protocol |3|, Figure |2-1|) . Note that vss and 
broadcast of classical data are not a problem since t < ~ < ^ ( ||BGW88"1 , |CCD88 
Lyn96||). 



Protocol 3 (Subspace projection). 

1. Sharing The dealer D prepares Ho as any state (pure or mixed) in and distributes 
it to the players. He then prepares Hi, ■ ■ ■ , TLk in the equal superposition of ^2 W&W |w), 
and distributes those to the players also. 

2. Verification Using classical vss, every player commits to k field elements picked uni- 
formly at random. These commitments are then opened and their sum is taken to obtain 
k field elements bi, . . . ,bk (these are completely unpredictable to the dealer, even if he 
is cheating). 

3. For I = 1, . . . , k, players apply the linear operation {x, y) \— > (x, y+bgx) to the subsystems 
Ho and Hg. All players then measure their shares of Hi, . . . ,Hk in the computational 
basis and broadcast the result. 

4. Each of the broadcasted words Wi,. . . , w& is decoded using classical error-correction of 
the code W: for each w^, we obtain either that it was at distance more than t from a 
word in W or we obtain an error vector with support Bp £ {1, ...,n} of size less than t 
on which differs from a word in W. 

The dealer is rejected if any of the broadcasted words was at distance more than t or if 
B = U^=i Be has size greater than t. Otherwise, the dealer is accepted. 



Figure 2-1: Protocol |] (Subspace Projection) 



2.1.1 Completeness 

Lemma 2.1. When the dealer D is honest, he will pass the protocol. Moreover, we 
will have B C C , i.e. only real cheaters will be accused of cheating. 

Proof: If the dealer is honest, he will use some Ho in W {q) and will have all He's 
in state J2 w &w l w )- Consider some round £. Now no matter what the value of bg is, 
applying (c-X bi ) to all of the shares is equivalent to the identity on Ho <S> Hg, since 
for all v G W, we have: 

(c-X b *)\v) l w ) = l v ) l w + b ^ = 

w£W w w 

Of course, in the protocol we can only guarantee that honest players will apply 
(c^) to their shares of Ho and Hg. Nonetheless, the result is the same as applying the 
identity to the honest players' shares. Consequently, the values broadcast at Step |3] 
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by the honest players will all be consistent with some w £ W. Since we've assumed 
that the distance of the code W is at least 2t + 1, any false values broadcast by 
cheaters will be identified as such. Thus, the set B will only contain cheaters, and 
the dealer will pass the protocol. Moreover, the honest players' shares of Ho will also 
be preserved, so Ho will remain in 



2.1.2 Soundness 

Lemma 2.2. Let B = B U C. At the end of the protocol above, the fidelity of the 
system to the statement "either Ho is in {W§)( q ' or the dealer has been rejected" is 
exponentially close to 1 in k. 

To prove this, we will employ a "quantum to classical" reduction, as in [ LC9S ]. 

Lemma 2.3. Consider the subspace projection protocol above. Then the behavior of 
the protocol is the same in each of the two following experiments: 

Experiment 1 at the end of the whole protocol, all honest players measure their 
shares of Ho i n the computational basis, or 

Experiment 2 at the end of the sharing phase, all honest players measure their 
shares of Ho and Hi in the computational basis, and then run the verification 
phase. 

Moreover, the distribution on the results of the measurement of Ho is the same in 
both cases. 



Proof: The actions of the honest players on their shares in the original protocol can 
be seen as the composition of k super-operators, each of which is comprised of two 
operations: a controlled-addition gate from Ho to He followed by measurement of He. 
Denote the controlled-addition gate by (c-X b )e, where b is the scaling factor for the 
controlled-addition. Second, denote measurement of He in the computational basis 
by Me- 

Consider what happens in the I th verification step in Experiment 1. Because the 
controlled-addition gate is a permutation of the basis states of the computational 
basis, measuring the systems in that basis before the gate is applied will not change 
the outcome of measurements made after the gate is applied. Thus we can write 
MeMo{c-X be )e = MeMo{c-X be )eMeMo, and the distribution of the measurements 
made after the gate is applied will not change. 

But now notice that measuring the system Ai Q afterwards is completely redun- 
dant. Because the controlled-addition gate does not change the first component of any 
basis vectors, measuring A4 after the application of the gate will yield the same result 
as measuring it before. Hence, we can write M.iM.o(c-X ht )i = M. t (c-X bl )eM.eM-o. 
However, this is exactly the sequence of operations performed by honest players in 
Experiment 2: first they measure both systems, then apply the addition gate and 
measure the target. 
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Thus, the measurement outcomes will be the same in both experiments will be 
the same. Moreover, the cheaters can see no difference between the two experiments, 
and so their behavior will not change. □ 

In other words, we can imagine two situations. In the first one, just after the 
sharing phase of the protocol, an outsider comes in and secretly measures honest 
players' shares of TCo, ■ ■ ■ , Ti-k in the computational basis. In the second, the outsider 
performs this secret measurement after the protocol is completed. The statement 
is that exactly when he makes his measurement will not change the behavior of the 
protocol. 

But recall that our original statement of the correctness of the protocol is that, 
at the end of the protocol, either the dealer has been caught or the shares of players 
are in . Since fidelity to is the same as the probability that measuring in 
the computational basis gives a word in W§ (i.e. agrees with W when truncated to 
positions neither in B nor C) , Lemma [2.3| allows us to restrict ourselves to thinking 
about situations in which the shares of the systems 7io, • • • , 7~Lk sent to honest players 
were in fact classical states. 

Now consider the classical protocol corresponding to the subspace projection pro- 
tocol: the dealer distributes k + 1 codewords w , . . . , w^. At each step, a random 
multiple of w is added to one of the other codewords and the result is broadcast. At 
the end, players compute B as above and decide whether or not to reject the dealer. 
(This is the blob protocol of [|CCD88|| , modified so as not to require the involvement 
of the dealer beyond the sharing stage). 



Lemma 2.4 (Soundness of Modified Blobs from [ JCCD88fl ). At the end of das 



sical protocol, let A be the set of honest players not in B. The event "either the players 
in A have consistent shares or the dealer was caught" occurs with probability at least 
1 — 2 n ~ k , even when the adversary is adaptive. 

Proof: Note that this statement is the same as Pr(the players in A do not have 
consistent shares and the dealer was not caught) < 2 n ~ k . 

Recall that the adversary is adaptive, and can choose which set of players to 
corrupt on the fly. Nonetheless, the adversary's strategy can be reduced to choosing 
the set A of players who will be neither corrupted (g C) nor accused (g B), but 
such that wo is not consistent on A, while the broadcast vectors + b?wo are all 
consistent. 

Fix any particular set A. If the shares of wo are not consistent on A, then there is 
at most a single value be G F such that the shares of + 6^wo broadcast by players 
in A will be consistent, since the set of consistent vectors is a subspace. Thus, the 
probability of the dealer passing the tests with that set A is at most r^p. Overall, 
there are at most 2 n choices for the subset A, and so the adversary's total probability 
of being able to find a subset A of honest players for which cheating is possible is 
bounded above by jJL < 2 n ~ k . □ 



This completes the proof of Lemma |272 . 
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Remark 4. As mentioned in the Definitions, we do not handle adaptive adversaries 
explicitly in this thesis. However, we believe that our protocols are secure against 
an adaptive adversary, and the previous proof gives some flavor of how the classi- 
cal arguments can be used. In this case, a union bound argument was sufficient. 
For proving the security of the quantum protocols, a more sophisticated version of 
the quantum-to-classical reduction above (Lemma |2.3|) would be necessary (and, we 
believe, sufficient). 

2.1.3 Dual Subspace Projection 

Consider a "dual" version of the subspace projection protocol above. It is the same 
as the original protocol, with three changes: 

1 . Before proceeding to the verification phase all players apply the Fourier transform 
to all their shares. 

2. At the end all players apply the inverse Fourier transform to their shares of Ho- 

3. (When D is honest) D prepares the ancillas Hi, ■■-,'Hk as a superposition over all 
words from the dual code W 1 - (i.e. ^2 W&W ± |w)). 

Now the state ^2 weW ± |w) is the image of J2 w ew l w ) un der transversal Fourier 
transforms. Thus, we can use the same analysis as in the previous section. At the 
end of this "dual" protocol, the fidelity of the system to the statement "either the 
dealer is caught or Ho is in the space p® n W^ n is high. 

But recall that conjugating by Fourier rotations maps linear gates to linear gates 
(see Section |L^) . In particular, controlled addition gates simply have their direction 
reversed, i.e. source and target are swapped. Thus, the modifications to the original 
subspace projection protocol can be restated as follows: 

1. the controlled addition gates are performed from He to Ho] 

2. the measurements are made in the rotated (Fourier) basis; 

3. (When D is honest) D prepares the ancillas Hi, ...,Hk as a superposition over all 
words from the dual code W 1 - (i.e. J^ wgVK x l w ))- 

"One-Level" Sharing and VQSS for t < n/8 Now suppose that there is some 
other code V such that before the protocol begins, all the systems Ho, . . . ,Hk are 
in V~ . Then that property will not be affected by the protocol since the addition 
gates will not affect it. Thus, at the end of the protocol the shares of Ho would be in 

This leads to a first pass at a quantum sharing protocol: Have the dealer distribute 

k + 1 groups of k + 1 systems. In each group, use k of the systems to prove that 

the remaining system lies in using the subspace projection protocol. Next, take 

the k + 1 resulting systems, and use k of them to prove that one of them is also in 
jr®n W M uging the « duaF p rotoco i. 
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Intuitively, this combination of the subspace projection protocol and the dual 
protocol achieves VQSS when t < n/8: since both the sets of apparent cheaters and of 
real cheaters have size at most t, the protocol allows the dealer to guarantee that the 
shared state is in Cg where \B\ < n/4. Since the decoding operator is well-defined on 
such states (Proposition |1.4|) , the dealer is essentially committed to a unique value 
regardless of any changes the players make subsequently 

In the next section, we extend the ideas of this section, combining them with 
the classical vss protocol of |CCD88fl to obtain a VQSS protocol which is secure for 



t < n/4. We also show how to prove equivalence of that protocol to the ideal-model 



protocol of Section 1.2.6. 



2.2 VQSS Protocol: Two-Level Quantum Sharing 

In this section we define a two-tiered protocol for VQSS. It is based on the VQSS 
protocols of ||CCD88|| as well as on the literature on quantum fault-tolerance and 



error-correction, most notably on ||AB99 



We first define the classical notion of "correctness" of a sharing used in ||CCD88 
and give a modified version of the ||(JCD88|| vss protocol that does not require the 
dealer's participation. We then describe our VQSS protocol (Section |2.2|) and prove its 
security (Section |2.2.4| -Section |2 . 2 . 6| ) . Finally, we state the round and communication 
complexity of our protocol (Section |2.2.7|) and some additional useful properties of 



the sharings it generates (Section |2.2.8|) . 



2.2.1 Sharing Shares: 2-GOOD Trees 



In the vss protocol of ||CCD88|| , the dealer D takes his secret, splits it into n shares 
and gives the i th component to player i. Player % then shares this secret by splitting 
it into n shares and giving player j the j th share to player j. Thus, there are n 2 total 
shares, which can be thought of as the leaves of a tree with depth 2 and fan-out n: 
each leaf is a share; the i th branch corresponds to the shares created by player i, and 
the root corresponds to the initial shares created by the dealer. Thus player j holds 
the j th leaf in each branch of this tree. 

We will run a cut-and-choose protocol similar to the subspace projection protocol 
above, in order to guarantee some kind of consistency of the distributed shares. 

During the protocol we accumulate n + 1 sets of apparent cheaters: one set B for 
the dealer (this corresponds to a set of branches emanating from the root), and one 
set Bi for each player % (this corresponds to a subset of the leaves in branch i). These 
sets all have size at most t. 

N.B.: Since the dealer is one of the players in the protocol, we can in fact identify 
B with Bi, where the dealer is player i. However, by ignoring this fact we lose 
no correctness and gain some simplicity in the exposition and security proof of the 
protocol. 

At the end of the protocol, we want to guarantee certain invariants: 
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Definition 4 (2-GOOD trees). We say a tree of n 2 field elements is 2-GOOD with 
respect to the code V and the sets B, B\, ...,B n if: 

1. For each i G" C (corresponding to an honest player), we have B{ C C, i.e. all 
apparent cheaters are really cheaters. 

2. For each branch % G" B, the shares held by the honest players not in B^ should all 
be consistent with some polynomial of degree < d, i.e. with some codeword in V . 
That is, the vector of all shares should be in Vb^c, where C is the set of cheating 
players. 

N.B.: Because there are at most t players in B{ and at most t cheaters, there are 
at least d + 1 < n — 2t honest players remaining, and so the polynomial above is 
uniquely defined. This guarantees that for each branch i ^ B, there is a unique 
value a,i G F which is obtained by interpolating the shares of the honest players not 
in Bi. 

3. For i G" B , the values dj defined by the previous property are all consistent with a 
codeword ofV (i.e. the vector (a\,...,a n ) is in Vb)- 

We will abbreviate this as 2-GOOF>v, when the sets B, B\, B n are clear from the 
context. 

Why is this a useful property to guarantee? It turns out that this ensures the 
soundness of a sharing protocol. Suppose that all players broadcast their shares of a 
given 2-GOOD tree. Call the vector of shares in the i th branch Vj, so that player j holds 
the values Vj(j') for all i. Consider the reconstruction procedure Recover (Figure [^D - 



Algorithm 1. Recover(T, V, B, B x , B n ) 

Input: a tree T which is 2-GOOD with respect to the code V and the sets B, Bi, B n . 
Output: a G F 

1. For each branch i G" B: Let b = \Bi\. If i is honest, then we expect the truncated 
word Vilsi to be within distance t — b of a codeword in the truncated code V\ B .. 
Now this truncated code has distance It + 1 — b: it can detect up to t errors and 
correct them when there are at most t — b of them. 

If the truncated word Vj|^. is at distance at most t — b from a real codeword, then 
correct the error and let a, be the interpolated value for that codeword. Otherwise 
output a null value at =_L. 

2. Take any set of d + 1 indices i such that i B and a« t^_L Find the unique 
polynomial p such that p(i) = a«. Output a = p(0) as the reconstructed secret. 



Figure 2-2: Algorithm [T] (Reconstruction for a 2-GOOD tree) 
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Lemma 2.5. Suppose that a sharing is £-GOOD. If all players broadcast their shares, 
then the same value a will always be reconstructed for the root of the tree (i.e. regard- 
less of the values broadcast by the cheaters). 

We omit this proof here, since it is essentially re-proven in our analysis of the 
quantum protocol (see Lemma [2.11|) . We note that the protocols (and proofs) of 
|CCD88|| used this lemma implicitly, but did not use the recovery algorithm as stated 



here. Instead, they required players to remember what shares they had distributed 
to other players. 

2.2.2 Classical VSS 

Based on the discussion of the previous section, we give a modified version of the 
VSS protocol of [|CCD88|| . The main difference is that the original protocol required 
a dealer to remember the values of the shares sent in the first phase, and cooperate 
later on during the verification phase. However, this does not generalize well to 
the quantum world, and so we compensate by exploiting the efficient decodability of 
Reed-Solomon codes. The protocol is given in Figure |2-3| . Note that as before, the 
error-correcting code we use is V s , where n = At + 1 and 5 = 2t. 

Remark 5. In the description of the protocol (and subsequent protocols), we assume 
for simplicity that there is a source of public randomness. This is not a problem in 
our setting as good random bits can be generated using classical VSS protocols, and 
it simplifies the analysis of the protocols. However, it is not necessary (and is not 
made in ||CCD88| . |11B89|| ). See Section [2.2.7| for further discussion. 



The correctness and soundness of this protocol are stated here. They follow from 
the properties of 2-GOOD trees and from cut-and-choose analysis. 

Fact 2.6. If D is honest, he will pass the protocol with probability 1, and the shares 
v o,i(j) will form a 2-GOOD tree which interpolates to the original input a. 

Fact 2.7. With probability 1 — 2 n( - k \ either the shares v 0) i(j) form a 2-GOOD tree or 
the dealer is caught during the protocol. 

2.2.3 VQSS Protocol 

Given the previous protocol, and the observation that Subspace Projection can work 
simultaneously in both bases (Section |2.1.3| ), it is natural to attempt to run the 
classical VSS to check for errors in both bases. The resulting protocol is described 
in Figure |2-4j (Sharing Phase) and Figure |2-5| (Reconstruction Phase). Intuitively, it 
guarantees that a tree of quantum shares would yield a 2-GOOD tree of classical values 
if measured in either the computational basis or the Fourier basis. Note that we use 
the codes V = V s = V s ' and W = W 5 = W 5 ' (again with n = At + 1, 6 = 6' = 2t), 
although there is in fact no need to do this: the protocol will work for any CSS code 
with distance at least 2t + 1, so long as the code is efficiently decodable. 
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Protocol 4 (Modified Classical vss from |CCD88| ). The dealer D has input a G F. 

• Sharing: 

1. D picks a random codeword vo G V such that vo interpolates to a. D also picks k 
random codewords vi, G V (i.e. k sharings of random values). 

2. D gives player i the i th component of each of these vectors: Vg(i) for I = 0, /c. 

3. Player i shares each of these values with random vectors Vq^, j which interpolate 
to vo(i), Vfc(z), respectively. He sends the values v^j(j) to player j (for £ = 0, k). 

• Verification: Get k previously unknown public random values b\, b}.. For I = 1, k: 

1. For all i, player j broadcasts ve t i(J) + biyo^{j). 
(i.e. player j broadcasts his share of v^, + 6^Vo,i). 

2. For each i G {1, ■■■,n}, players update the set Bi based on the broadcast values, as in 
the subspace projection protocol. If there are too many errors, then they add i to the 
global set B. 

3. Furthermore, players do the same at the branch level: for all i G" B, there is an 
interpolated value a% which corresponds to the decoded codeword from the previous 
step. Players also decode the codeword (ai,...,a n ) and update B accordingly (i.e. by 
adding any positions where errors occur to B). 

• The dealer is disqualified if B is ever larger than t. 

• If the dealer passes, the values vo,i(j) are taken to be the shares of the dealer's secret. 

• Reconstruction: 

1. Player j broadcasts his shares Vq »(j) for all i. 

2. Let T be the tree defined by these values. All players output the value given by 
Recover(T,V,B,B 1 ,...,B n ). 



Figure 2-3: Protocol f| (Modified VSS protocol from ||(JCD88 



43 



Protocol 5 (vqss — Sharing Phase). Dealer D gets as input a quantum system S to 
share. 

• Sharing: 

1. The dealer D prepares (k + l) 2 systems of n qupits each, called S^ m (for £ = 0, k 
and m = 0, k): 

(a) Encodes S using C in S^o- 

(b) Prepares k systems So,i> So t k in the state ^2 a& p £c\ a ) = J2 v &v \ v )- 

(c) Prepares k(k + 1) systems Si m , for £ = 1, and m = 0, fc, each in the state 

|o> = £ veV ». 

(d) For each of the (k + l) 2 systems S^ m , D sends the component (denoted <S^) 
to player i. 

2. Each player i, for each £,m = 0, ...fc: 

(a) Encodes the received system using C into an n qupit system Si j7n ^. 

(b) Sends the j-th component sj^^ ni to player j. 

• Verification: 

1. Get public random values 6i, £r F. For each £ = 0, ...,k, m = l,...,k, each 
player j: 

(a) Applies the controlled-addition gate (c-X bj ) to his shares of the systems S^o,i 
and Sg, m ,i. 

(b) Measures his share of SV,m,i and broadcasts the result 
(i.e. each player broadcasts k(k + l)n values). 

(c) Updates sets B and B\, B n as in the classical VSS protocol. 

2. All players apply the Fourier transform T to their shares. 

3. Get public random values b^, b' k F. For £ = 1, k, each player j: 

(a) Applies the controlled-addition gate (c-X b j) to his shares of the systems Sb,o,j 
and 5^0,1 • 

(b) Measures his share of Sg o i and broadcasts the result 
(i.e. each player broadcasts kn values). 

(c) Updates sets B and Bi,...,B n as in classical VSS protocol. Note that for all £, 
we use code W = V^~. 

[Note: the sets B and B\, ...,B n are cumulative throughout the protocol.] 

4. All players apply the inverse transform J 7 ^ 1 to their shares of So o- 

• The remaining shares (i.e. the components of the n systems Sq o j) form the sharing of 
the state p. 



Figure 2-4: Protocol [| (vqss — Sharing Phase) 
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Protocol 6 (vqss — Reconstruction Phase). Player j sends his share of each of the 
systems Soo,i to the receiver R, who runs the following decoding algorithm: 



* - 



B; 



1. For each branch i: determine if there is a set Bi such that Bi C B. 

shares of 6*0,0,1 lie in Cg.. 
If not, add i to B. 

Otherwise, correct errors on Bi and decode to obtain a system 

2. Apply interpolation to any set of n — 2t points not in B. Output the result S' . 



< t and the 



Figure 2-5: Protocol | (vqss — Reconstruction Phase) 



Why is this a secure VQSS protocol? We want to show that the protocol is equiv- 
alent to the "ideal model" , where at sharing time the dealer sends his secret system 
S to a trusted outside party, and at reveal time the trusted party sends S to the 
designated receiver. To do that, we will use two main technical claims: 

• Soundness: At the end of the protocol, if the dealer passes all tests then there is 
a unique state which will be recovered by the receiver, regardless of any changes 
made by the cheating players. 

• Completeness (simplistic version): If the dealer is honest, then he will pass all tests 
and the state recovered by the receiver will be exactly the dealer's input system 
S. 

At first, it may not be clear that the claim above for completeness is really suf- 
ficient, since it does not explicitly rule out the adversary learning any information 
about the secret system S. In fact, at some intuitive level it is sufficient, since any in- 
formation the adversary was able to learn would cause a disruption of S (in general). 
Nonetheless, a formal proof of security requires a more sophisticated argument. We 
give the more formal proof, based on simulation, in Section [2.2.6| . 



2.2.4 (Informal) Soundness 

Lemma 2.8. The system has high fidelity to the following statement: "Either the 
dealer is caught or measuring all shares in the computational (resp. Fourier) basis 
would yield a £-GOOD tree with respect to the code V (resp. W)." 

Proof: The proof of this lemma follows the ideas outlined in the proof of soundness 
for the subspace projection protocol. First, a quantum-to-classical reduction allows us 
to use the soundness of the modified classical protocol from Section |2.2.2j : this gives us 



that at the end of Step [I], either D would get caught or all the systems S^o would yield 
2-GOODy trees if measured in the computational basis. After applying the Fourier 
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transformations in Step El all the systems will be 2-GOODy in the Fourier basis. 
Subsequent application of linear gates will not change that, since they correspond 
to linear gates in the Fourier basis. Finally, applying a second quantum-to-classical 
reduction shows that at the end of Step ||, the system 5*0,0 will be 2-GOODyi/ in the 
computational basis. Since it is also 2-GOODy in the Fourier basis, the final rotation 
in Step |] will leave it 2-GOODy in the computational basis and 2-GOODty in the 
Fourier basis. □ 

Let E denote the operator used to encode a state using C. Let J be a set of indices 
j such that the error operators {Ej}. &J run over all the syndromes of the code C (i.e. 
J contains one representative from each equivalence class of error operators, and the 
spaces {EjC}j € j are orthogonal and span C p "). Note that \J\ = p n ~~ x since the code 
is 1-dimensional. 

2 

Fact 2.9. The following set is an orthonormal basis of p n -dimensional Hilbert space 

2 

C p " (where p is the size of F): 

{Ef?---EfjE® n E j0 £\a) : j , ...,j n G J, a G f] 

where the superscript W on Ej i indicates that it acts on the i th block of n qupits. 

Proof: First, notice that these vectors are indeed pairwise orthogonal: for a pair of 
vectors, if any of the indices ji G J differ for i > 1, we can distinguish the two states 
by measuring the syndrome of the i th block of qubits. If none of the ji differ but the 
indices jo differ, then we can distinguish the two states by correcting all the errors 
, decoding the resulting blocks and measuring the syndrome of the final codeword. 
Finally, if the two states differ only by the choice of a G F, we can distinguish them by 
correcting all errors, decoding and measuring the resulting qupit in the computational 
basis. 

On the other hand, there are p n_1 choices for each of the n + 1 indices j , ...,j n G J 
and p choices for a G F. Thus the total number of states is {p n ~ l ) n+l p = p™ 2 , and so 

n 2 

the states must span all of C p . □ 

Proposition 2.10 (Characterizing 2-GOOD trees). The space of trees of qupits 
which are £-GOODy in the computational basis and ^-GOOD^ in the Fourier basis is 
spanned by the states 

. . . £| a ) where 

• Ej (or something in its equivalence class) acts only on B and 

• For each i B, Ej i (or something in its equivalence class) acts only on Bi U C . 
(Recall that for i corresponding to honest players not in B, we have Bi C C and 
so in those cases the condition is that Ej. act only on C .) 

Proof: Given any state of n 2 qupits, we can write it as a mixture of linear combina- 
tions of basis vectors from the basis in the previous discussion (Fact |2~9|) . Now for any 
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one of these basis states given by jo, ...,j n and a, it will pass a test of 2-GOOD-ness in 
both bases if and only if the conditions of the proposition are satisfied: j should be 
the syndrome of some error which acts only on B and each j% should be equivalent to 
an error on Bi n C . Thus, any state which passes the test with probability 1 can in 
fact be written only in terms of those basis vectors which pass the test. □ 

Note that in the case of the basis vectors of the previous proposition, there is 
no entanglement between the data and the errors, since the data is a pure state (in 
fact, we can also think of the errors as being described by a pure state |j , jn))- 
However, one can get arbitrary superpositions of these basis vectors and so in general 
there will be not only correlation, but indeed entanglement between the data and the 
errors. 



Ideal Reconstruction In order to prove soundness carefully, we define an ideal 
interpolation circuit 1Z 1 for 2-GOOD trees: pick the first n — 2t honest players not in 
B, say ii, ...,i n -2t- For each ij, pick n — 2t honest players not in B^ and apply the 
normal interpolation circuit (i.e. erasure-recovery circuit) for the code to their shares 
to get some qupit B4. . This will yield n — 2t qupits total. Applying the interpolation 
circuit again, we extract some system S which we take to be the output of the ideal 
interpolation. For simplicity, we assume that the interpolation circuit extracts the 
encoded state and replaces it with an encoding of |0), i.e. it maps £\a) 1 — > \a) (g>£|0). 

Lemma 2.11. Given a tree of qupits which is £-GOOD in both bases, the output of 
the ideal interpolation and the real recovery operators are the same. In particular, 
this means that no changes made by cheaters to their shares of a £-GOOD tree can 
affect the outcome of the recovery operation. 

Note that this is not necessarily true for a "one level" sharing (Section |2.1.3| ), 
unless t < n/8: by entangling errors with the shared data, the cheaters could arrange 
things so that more than t errors are detected only for certain possible values of the 
data, creating an entanglement between the data and the success or failure of the 
recovery. 



Proof (of Lemma p.ll|) : Both the decoding and recovery operators produce an output 
qubit as well as an ancilla. We show that there is a unitary map which can be applied 
to the ancilla of the interpolation operator so that the joint state of the output and 
the ancilla are the same as when the decoding operator is applied. 

It is sufficient to prove this for some basis of the space of 2-GOOD trees; the rest 
follows by linearity. The natural basis is given by Proposition |2.10| . Consider a basis 



vector Ej^ ■ ■ ■ E^ £® n Ej £\a) which satisfies the conditions of Proposition |2.10 . 



Effect of ideal recovery Let I be the set of n — 2t indices not in either B or C, and 
suppose for simplicity that / = {1, n — 2t} (the same argument works regardless 
of the particular values in /). Applying the ideal recovery operator to the branches 
in J, we obtain n — 2t encodings of |0) with errors ji, ■■■,j n -2t, and an encoding 
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of I a) whose first n — 2t positions are untouched and whose last 2t positions are 
themselves encoded and possibly arbitrarily corrupted. This can be written: 

[E h e\0)) ® • • • ® (E jn _ 2t £\0)) ® EtJZ 1] ■ ■ ■ E tJ (l^ n - 2t) en E JO S\a) 

where I is the identity. Applying ideal recovery again to the first n — 2t positions 
of the encoding of \a), we extract \a) and leave a corrupted encoding of |0): 

\a) ® ( (E n £\0)) ® • ■ ■ ® (E Jn _ 2t £\0)) ® E^ ■ ■ ■ E$> (I°<-*)£«k) E jo £\0)) 



Effect of real reconstruction Now consider the effect of the decoding operator, 
which must be applied without knowledge of the positions which are corrupted. 
The first operation to be performed is to attempt to decode each branch i (jL B. 
This means copying the syndrome ji for each branch into an ancilla state 
Whenever Ej t acts on a set Bi such that \Bi U Bi\ < t, then Ej i can be identified 
and corrected. When Ej t acts on too many positions, then it cannot be identified 
uniquely and the decoding procedure will simply leave that branch untouched. 

Let I be the set of indices not in B which had few enough errors to correct. At 
the end of this first phase the input basis state will become: 

((]jE®)£® n E j0 £\a)) ® <g)|j 4 ) 



We know that all the honest players not in B are in I (by assumption of 2-GOOD- 
ness) and so / contains at least n — 2t positions. Decoding each of these circuits 
and applying the interpolation operator to the resulting qupits, we can extract the 
state | a) and replace it with |0) in the top-level sharing. This yields 

\°)® ((n4i } )^ n ^io)) ® <g)i*> 



In both cases, the output can be written as \a) tensored with some ancilla whose 
state depends only on the syndromes jo,ji, ■■-,j n - Once that state is traced out, the 
outputs of both operators will be identical. Another way to see this is that the ideal 
operator can simulate the real operator: one can go from the output of the ideal 
operator to that of the real operator by applying a transformation only to the ancilla. 
□ 



Lemma Z78 and Lemma 2.11 together imply that there is essentially a unique state 
which will be recovered in the reconstruction phase when the receiver R is honest. 
Thus, the Protocol |5| is sound, in the informal sense of Section p. 2. 3 . 
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2.2.5 (Informal) Completeness 



As discussed earlier, the protocol is considered complete if when the dealer is honest, 
the state that is recovered by an honest reconstructor is exactly the dealer's input 
state. 

Lemma 2.12. When the dealer D is honest, the effect of the verification phase on 
the shares which never pass through cheaters' hands is the identity. 

Proof: This follows essentially by inspection: for any codeword v of a linear code 
W, applying a controlled addition to |v) <S> J2 w ew l w ) resu hs in the identity. Since 
this operation is transversal, the shares which never go through cheaters' hands will 
behave as if the identity gate was applied. □ 

Consider the case where the dealer's input is a pure state \ip). On one hand, we 
can see by inspection that an honest dealer will always pass the protocol. Moreover, 
since the shares that go through honest players' hands only remain unchanged, it 
must be that if some state is reconstructed, then that state is indeed \ip), since the 
ideal reconstruction operator uses only those shares. Finally, we know that since the 
dealer passed the protocol the overall tree must be 2-GOOD in both bases, and so some 
value will be reconstructed. Thus, on input a pure state an honest reconstructor 
will reconstruct \ip). We have proved: 

Lemma 2.13. If D and R are honest, and the dealer's input is a pure state \ip), then 
R will reconstruct a state p with fidelity 1 — 2~ n( - k ^ to the state \ip). 

Not surprisingly, this lemma also guarantees the privacy of the dealer's input. By 
a strong form of the no cloning theorem (Section |1. 3. 2|) , any information the cheaters 



could obtain would cause some disturbance, at least for a subset of the inputs. Thus, 
the protocol is in fact also private. 



2.2.6 Simulatability 

The previous two sections prove that the protocol satisfies an intuitive definition of 
security, namely that it is complete, sound and private. In this section, we sketch 
a proof that the protocol satisfies a more formal notion: it is equivalent to a simple 
ideal model protocol. The equivalence is statistical (Definition §), that is the outputs 
of the real and ideal protocols may not be identical, but have very high fidelity to 
one another. 



An Ideal Model Protocol Now, it is fairly simple to give an ideal protocol for 
VQSS: in the sharing phase, the dealer D sends his system S to TTV. If D does 
not cooperate or sends an invalid message, TTV broadcasts U D is a cheater" to all 
players. In the reconstruction phase, TTV sends the system S to the designated 
receiver R. This protocol is in fact given in Protocol ^| (p. p2|) . 

Intuitively, this is the most we could ask from a secret sharing protocol: that it 
faithfully simulates a lock box into which the dealer drops the system he wishes to 
share. 
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In order to show equivalence of our protocol to the ideal protocol, we will give 
a transformation that takes an adversary A\ for our protocol and turns it into an 
adversary Ai for the ideal protocol. To give the transformation, we exhibit a simulator 
S which acts as an intermediary between A\ and the ideal protocol, making A\ believe 
that it is in fact interacting with the real protocol. 



Simulation Outline 

We give a sketch of the simulation procedure in Algorithm |2] (Figure |2-6| ) . 
Why does this simulation work? 

• When D is cheating: 

— When R is cheating, the simulation is trivially faithful, since there is no differ- 
ence between the simulation and the real protocol: S runs the normal sharing 
protocol, then runs the interpolation circuit, sending the result to TTP. In the 
reconstruction phase, S gets the same state back from TTP, and runs the inter- 
polation circuit backwards. Thus, the two executions of the interpolation circuit 
cancel out. 



— When R is honest, the faithfulness of the simulation comes from Lemma p. 11 
in the real protocol, R outputs the result of the regular decoding operator. In 
the simulation, R gets the output of the ideal interpolation. Since the shared 
state has high fidelity to a 2- GOOD tree (by Lemma |2l|), the outputs will be 
essentially identical in both settings (i.e. they will have high fidelity). 

When D is honest: 

— To see that the simulation works when D is honest, we must show that two 
versions of the protocol are equivalent: in the first version, S gets 5* after having 
simulated the sharing phase with Ai, and so he "swaps" it in by first running 
the ideal interpolation circuit, exchanging the system S for the shared state |0), 
and then running the interpolation circuit backwards. 

In the second version, he gets the system S from TTV before running the 
simulated sharing phase, and so he simply runs it with S as the input for the 
simulated dealer D' . 

To see that the two versions are equivalent, view the "swap" as an atomic 
operation, i.e. view the application of the interpolation, switching out the |0) 
state and replacing it with S, and reapplying the interpolation backwards, as a 
single step. Now consider moving the swap backwards through the steps of the 
protocol. Because each of the verification steps acts as the identity on the shares 
of the honest players, we can move the swap backwards through all verifications 
(Note: the verification acts as the identity only when the dealer is honest, but 
that is indeed the case here). Finally, one can see by inspection that sharing 
a |0) and then swapping is the same as sharing the system S. Thus the two 
versions of the protocol are equivalent, and so the simulation is faithful when D 
is honest. 
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Algorithm 2. Simulation for VQSS (Protocol ||) 
Sharing/Verification phase 

• If D is a cheater, S must extract some system to send to TTV: 

1. Run Sharing and Verification phases of Protocol [|, simulating honest players. If 
D is caught cheating, send "I am cheating" from D to TTV. 

2. Choose n — 2t honest players not in B and apply ideal interpolation circuit to 
extract a system S. 

3. Send S to TTV. 

• If D is honest, S does not need to send anything to TTV, but must still simulate the 
sharing protocol. 

1. Simulate an execution of the Sharing and Verification phases of Protocol [|, using 
|0) as the input for the simulated dealer D'. 

2. Choose n — 2t honest players (they will automatically not be in B since they are 
honest) and apply the ideal interpolation circuit to extract the state |0). 

3. The honest D will send a system S to TTV. 

Note: Regardless of whether D is honest or not, at the end of the sharing phase of the 
simulation, the joint state of the players' shares is a tree that is (essentially) 2-GOOD in 
both bases, and to which the ideal interpolation operator has been applied. Let I be the 
set of n — 2t honest players (not in B or C) who were used for interpolation. 

Reconstruction phase 

• If R is a cheater, S receives the system S from TTV. He runs the interpolation circuit 
backwards on the positions in I, with S in the position of the secret. He sends the 
resulting shares to R. 

• If i? is honest, the cheaters send their corrupted shares to S. These are discarded by 
S. 

In both cases, S outputs the final state of .4.1 as the adversary's final state. 



Figure 2-6: Algorithm ^| (Simulation for VQSS) 



51 



We have essentially proved: 

Theorem 2.14. Protocol^ is a statistically secure implementation of verifiable quan- 
tum secret sharing (Protocol^). 



2.2.7 Round and Communication Complexity 

In this section we show how to reduce the complexity of the protocol. For now, we 
will continue to assume that all public coins are generated using classical VSS: all 
players commit to a random value, then open all their values and take the sum to be 
the public coin. We discuss removing this assumption below. 



Reducing the Number of Ancillas The first observation is that with these cut- 
and-choose protocols, it easy to check many trees at once for 2-GOOD-ness, so long 
as they were all generated by the same dealer. Suppose that we want to verify £ 
trees of quantum shares for 2-GOOD-ness in a certain basis. The dealer distributes 
the trees, and then creates k sharings of the ancilla state Yl \a) (as in the original 
protocol). In the original protocol, for each ancilla we chose a random coefficient 
b G F and performed the gate (x,y) i— ► (x, y + bx). In the new protocol, we add a 
random linear combination of all £ states to be checked into the ancilla: each challenge 
consists of t coefficients b\, bi chosen publicly at random. We apply the linear gate 
(xi, ...,X£,y) i— > (xi, X£, y + J^bjXj) to the £ trees and the ancilla. The resulting 
state is then measured in the computational basis and all players broadcast their 
shares. 

To ensure good soundness, we can run this protocol k times in parallel, i.e. using 
k different ancillas and k ■ i random coefficients (i.e. k challenges of i coefficients). 
Essentially the same analysis as in the previous sections shows that at the end of this 
protocol (with high fidelity) the dealer will have been caught or the shared states will 
all be 2-GOOD in the computational basis. 

We can use this observation to improve the efficiency of our VQSS protocol. The 
dealer shares his secret S and also shares 2k ancillas. He uses the first k ancillas to 
check both the target state and the remaining k ancillas for consistency in the Fourier 
basis. He then uses the remaining ancillas to check the target state in the compu- 
tational basis. The number of ancillas now scales linearly (instead of quadratically) 
but the protocol still requires a quadratic number of public values. 



Generation of Public Values In the preceding discussion we assumed that public 
values were truly random. Such truly random coins can be implemented in our model 
using classical VSS, but in fact they need not be. As pointed out in ||CCD88| , |RB89| . 
it is sufficient to have players take turns generating challenges. 

Suppose that each player broadcasts - random challenges, and all players apply 
the challenge and measure and broadcast the result, as before. Then we are guar- 
anteed that at least k' = k"^^ challenges will be chosen truly at random. Thus, 
by increasing k by a factor of we get the same soundness as before, and avoid 
expensive VSS protocols. 
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The final protocol takes three rounds, two of which use the broadcast channel. 
Each player sends and receives kn log \F\ qubits. Moreover, the broadcast channel 
gets used k times to send challenges of (roughly) fclog|F| bits. It is also used to 
broadcast k responses of nlog|F| bits. To have soundness e, we must have the 
number of truly random challenges be k! > w+ ° (lo f o ^+[ Qg(lA) . 

/ (rj+log -) 2 \ 

Since ^ is constant, we get quantum communication complexity O ( ra iog|F| ) 
per player and overall broadcast complexity O (^(n + log ^) [n + ^g^FI )) ' ^ ms * s 

optimized when each player broadcasts only a single challenge, i.e. log \F\ = n+1 ° g 6 . 
In that case, we get quantum communication complexity 0(n + log^) per player and 
overall broadcast complexity O (n(n + log ^)). 



2.2.8 Additional Properties of Two-Level Sharing 

Level 2 sharings produced by the same dealer (using the protocol above) have some 
additional properties, which will be useful for multi-party computation. First of 
all, notice that there is no problem in tracking the sets B, Bi, B n across various 
invocations of the protocol for the same dealer. Because set Bi corresponds to the 
set of players which player i has accused of cheating, we may take these sets as 
cumulative, and simply declare that a player is cheating whenever the union of all 
the set Bi (for the same i) is greater than t. Similarly for the set B. Thus, in the 
discussion below we assume that the sets B, B ll B n are the same for all invocations 
with a particular dealer. 

1. Say the systems S i: j, S'^ form valid two- level sharings of states p, p' respectively 
(where S^- corresponds to player j's share of branch i). 

Then applying the linear operation (x, y) — > (x, y + bx) to the systems S it j ® S[ j 
results in valid two-level sharings of the states obtained by applying the gate to 
the state p® p' . 

In other words, if we denote the reconstruction procedure by 1Z and the controlled- 
addition by c-X b , we get that 

{c-X b )TZ m = n® 2 {c-x b f n2 

(at least when restricted to the subspace of valid sharings). 

2. Say the systems Sij form valid two-level sharings of state p with respect to the 
codes V, W. Then applying JF to each of the shares results in a valid sharing of 
the state T pT^ with respect to the codes W, V. 

That is, if TZy,w is the reconstruction procedure which uses code V in the compu- 
tational basis and W in the Fourier basis, then when we restrict to the subspace 
of valid sharings we get: 
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3. If all players measure their shares in a valid sharing of p and then apply classical 
reconstruction, then they will obtain the same result as if they had sent their shares 
to an honest reconstructor and asked him to broadcast the result of measuring p. 

4. The dealer can use the protocol to additionally prove to all players that the system 
he is sharing is the exactly the state |0): the ancillas he uses in this case will all be 
sharings of |0) (instead of \ a ))- The verification step is the same as before, except 
now players verify that the reconstructed codeword at the top level interpolates to 
0. 

Similarly, the dealer can prove that he is sharing a state \a) by ensuring that all 
ancillas used for verification in the Fourier basis are in state |0), and again asking 
players to verify that the reconstructed codeword at the top level interpolates to 
for the checks in the Fourier basis. 

This last point is worth stressing: by tailoring the protocol, the dealer can ver- 
ifiably share states |0) and Y2 a \ a )- This will be useful for sharing ancillas in the 
multi-party computation protocol. 

2.3 Impossibility of VQSS when t > | 

Lemma 2.15. No VQSS scheme exists for 4 players which tolerates one cheater. 

Before proving this, we need a result from quantum coding theory, on the relation 
between error- correct ion and erasure- correct ion: 

Fact 2.16 (i-error correction and 2t-erasure correction). Suppose that a quan- 
tum code with n components, and dimension at least 2 can correct errors on any t 
positions. Then in fact C can correct erasures on any 2t positions. 

Note that this holds regardless of the dimensions of the individual components of 
the code. It also holds when the code in question is a "mixed state" code, i.e. some 
pure states are nonetheless encoded as mixed states by the encoding procedure. 

It's an interesting and useful property of quantum information that it cannot be 
cloned, i.e. there is no procedure which takes an arbitrary, unknown pure state \if)) 
and replaces it with two exact copies \ip) £g> \ip) (see Section |1.3.2j). A corollary of 



this is that no quantum code with n components can withstand the erasure of \n/2] 
components. If it could, then one could always separate the codeword into two halves 
and reconstruct a copy of the encoded data with each half, yielding a clone of the 
encoded data. By the equivalence of t-error-correction and 2t-erasure-correction, this 
means that there is no quantum code that can correct errors on any |"n/4] positions. 
This is a special case of the quantum Singleton bound, also called the Knill-Laflamme 
bound. 

Proof (of Lemma |2.15|) : Suppose such a scheme exists. Consider a run of the protocol 
in which all players behave perfectly honestly until the end of the sharing phase. At 
that point, their joint state can be thought of as a (possibly mixed-state) encoding 
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of the secret that was shared. In particular, an honest "receiver" Ruth, if she were 
given access to the state of all players, must be able to recover the shared state. 
Moreover, she must be able to do so even if one player suddenly decides to start 
cheating and introduces arbitrary errors into his state. Thus, the joint state of all 
players constitutes a four-component QECC correcting one error. However, no such 
code exists, not even a mixed-state one, by the quantum Singleton bound. □ 



Corollary 2.17. No VQSS scheme exists tolerating an adversary structure that con- 
tains four sets which cover all players. 

Proof: Suppose there exist four disjoint sets A, B, C, D such that AUBUCUD = P, 
and a VQSS scheme tolerating any adversary that can corrupt any one of those sets. 
Then we can construct a four player protocol tolerating one cheater by having each 
player simulate the players in one of the four sets. □ 

The optimality of our VQSS scheme is also an immediate corollary: 

Theorem 2.18. No VQSS scheme for n players exists which tolerates all coalitions 
of |~n/4] cheaters. 

Note that we have only proved the impossibility of perfect VQSS protocols. How- 
ever, both the no cloning theorem and the equivalence of t-error-correction and 2t- 
erasure- correct ion hold when exact equality is replaced by approximate correctness, 
and so in fact even statistical VQSS schemes are impossible when t > n/A. 



2.4 Multi-party Quantum Computation 

In this section we show how to use the VQSS protocol of the previous section to 
construct a multi-party quantum computing scheme. 

First, we give a modified VQSS protocol. At the end of the protocol, all players 
hold a single qupit. With high fidelity, either the dealer will be caught cheating or the 
shares of all honest players will be consistent in both the computational and Fourier 
bases, i.e. there is no set B of "apparent cheaters". 



2.4.1 Level 3 Sharing Protocol 

Until now, we have used protocols for tolerating t < n/A cheaters. However, we are 
now interested in tolerating t < n/6 cheaters. Thus, we take n = 6t + 1 for simplicity, 
and as before we set 5 = 2t (thus 5' = At). We will work with the CSS code C given by 
V = V s and W = W s . Recall that this is the CSS code for which we have the simple, 



nearly-transversal fault-tolerant procedures of Section |1.3.3| . Our goal is to share a 
state so that at the end all shares of honest players lie in Cc = Vq* fl !F® n WQ . 

The new scheme is given in Protocol [7] (Figure ^3). The idea is that the previous 
VQSS scheme allows distributed computation of linear gates and Fourier transforms 
on states shared by the same dealer. It also allows verifying that a given shared state 
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Protocol 7 (Top-Level Sharing). Dealer D takes as input a qupit S to share. 
• Sharing 

1. (Distribution) The dealer D: 

(a) Runs the level 2 VQSS protocol on input S. 

(b) For % = 1,...,S: 



Runs level 2 sharing protocol to share state Y2 a l a ) ( see RemarkQin Section 2.2.8 ) 
(c) For i = 1, n — 5 — 1 



Runs level 2 sharing protocol to share state |0) (see Remark ^| in Section 2.2. g| ) 



Denote the n shared systems by Si,...,S n (i-e. Si corresponds to S, S2, Ss+i 
correspond to Yl a \ a ) an d $6+2, •••> S n correspond to |0)). Note that each Si is a 
two-level tree, and thus corresponds to n components in the hands of each player. 

2. (Computation) Collectively, the players apply the Vandermonde matrix to their 
shares of Si, S n . 

(If D is honest then system Si now encodes the i-th component of an encoding of the 
input system S). 

3. For each i, all players send their shares of Si to player i. 

Quantum Reconstruction Input to each player i is the share Si and the identity of 
the receiver R. 

1. Each player i sends his share Si to R. 

2. R outputs V(Si, S n ) and discards any ancillas. 



Figure 2-7: Protocol [7| (Top-Level Sharing) 
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is either |0) or \ a). The players will use this to perform a distributed computation 
of the encoding gate for the code C. Thus, the dealer will share the secret system S, 
as well as 5 states \ a ) an d n — 5 — 1 states |0). Players then apply the (linear) 
encoding gate, and each player gets sent all shares of his component of the output. 

Lemma 2.19. At the end of Step [| ; the system has high fidelity to "either the dealer 
is caught or measuring all n trees in the computational (resp. Fourier) basis yields a 
forest of n 2-GOOT>v (resp. 2-GOODw) trees whose implicitly defined classical values 
Vi,...,v n lie in V (resp. W). 

Proof: This follows from the linearity of the sharings generated by the VQSS scheme. 
□ 

Corollary 2.20 (Soundness of Top-Level Protocol). At the end of the sharing 
phase (i.e. after Step the system has high fidelity to "either the dealer is caught 
or the n shares of players S%, S n lie in Cc" ■ 

Proof: This is because the "rolling back" of the shares (i.e reconstruction of their 
respective components by all players) preserves measurement statistics in both bases. 
□ 

Lemma 2.21 (Completeness of Top-Level Protocol). When D is honest, on in- 
put a pure state \ip) , the shared state will lie in span {£\ip)} c , i.e. will differ from an 
encoding of ip only by a local operation on the cheaters ' shares. 

Notice that the dealer can also prove to all players that he has shared a |0) state 
by simply proving that the system he is placing in the input position is in state |0). 

Simulatability and Ideal Secret Sharing The top-level protocol (Protocol [7]) is 
a simulatable VQSS protocol, just as was the original protocol. As before, the idea 
is that there is no perceivable difference between (a) running the protocol on input 
|0) and having the simulator "swap in" the real shared system S and (b) running the 
protocol honestly. 

However, the top-level protocol is also a simulatable implementation of a different 
(and stronger) one-phase ideal task, which we call "ideal secret sharing" (Figure |2-8| ) . 
In it, the dealer D sends his system S to the TTV, and the TTV encodes it using 
the quantum error-correcting code C and sends the i-th component to player i. 

The details of the simulation are substantially similar to those of Section [2.2.6 . 
We get: 

Theorem 2.22. The top-level protocol (Protocol^) is a statistically secure real-world 
implementation of ideal secret sharing (Protocol^), for any t < n/4 (and thus in 
particular for t < n/6). 
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Protocol 8 (Ideal Secret Sharing). Input: Dealer D gets a qupit S. 

1. D sends the \F\ -dimensional system S to TTV. If D fails to do this, TTV broadcasts 
"-D is cheating" to all players. 

2. TTV encodes D in C. That is: 

(a) TTV creates 5 states Y^ a \ a ) an d n — 5 — 1 states |0). 

(b) TTV runs the linear encoding circuit (given by the n x n Vandermonde matrix) on 
S and the n — 1 ancillas. 

3. TTV sends the i th component of the encoding to Player i. 

4. For all i: Player i outputs either the qupit received from TTV or the message "D is 
cheating" . 

Figure 2-8: Protocol |8] (Ideal Secret Sharing) 



2.4.2 Distributed Computation 

Given the protocol of the previous section, and given the ftqc techniques described 
in Section |1.3.3| , there is a natural protocol for multi-party computation of a circuit: 
have all players distribute their inputs via the top-level sharing (Protocol [7]); apply 
the gates of U one-by-one, using the (essentially) transversal implementation of the 
gates described in Section |1.3.3| ; then have all players send their share of each output 



to the appropriate receiver. For completeness, we give this protocol in Figure |2-9| 

(p-rH). 

One difficulty in the analysis of this protocol is the measurement results which 
are broadcast in the computation phase during Degree Reduction. If the errors oc- 
curring in the measured ancilla were somehow correlated or entangled with errors in 
the real data, one could imagine that measuring and broadcasting them might intro- 
duce further entanglement. However, this will not be a problem: on one hand, any 
errors will occur only in the cheaters shares, and so provide nothing beyond what the 
cheaters could learn themselves; on the other hand, the honest players will discard 
all the information from the broadcast except the decoded measurement result (each 
honest player performs the decoding locally based on the broadcast values, so all 
honest players obtain the same result). Again, the cheaters can do this themselves. 
A full proof of security is somewhat tedious; instead, we sketch the main ideas in the 
remainder of this section. 

Lemma 2.23. Suppose that all inputs and ancillas are shared at the beginning via 
states in Co- Then the result of applying the protocol for a given circuit U , and then 
sending all states to an honest decoder R is the same as sending all states to R and 
having R apply U to the reconstructed states. 
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Protocol 9 (Multi-party Quantum Computation). 

Pre: All players agree on a quantum circuit U with n inputs and n outputs (for simplicity, 
assume that the i th input and output correspond to player i). The circuit they agree on 



should only use gates from the universal set in Section |l.3.3 



Input: Each player gets an input system Si (of known dimension p). 

1. Input Phase: 

(a) For each i, player i runs Top-Level Sharing with input Si. 

(b) If i is caught cheating, then some player who has not been caught cheating yet 
runs Top-Level Sharing (Protocol fa), except this time with the one-dimensional code 
span{£c|0)} (i.e. he proves that the state he is sharing is |0). If the sharing protocol 
fails, then another player who has not been caught cheating runs the protocol. There 
will be at most t iterations since an honest player will always succeed. 

(c) For each ancilla state |0) needed for the circuit, some player who has not been caught 
cheating yet runs Top-Level Sharing (Protocol |7|), with the one-dimensional code 
span{£ c « |0)} or span{£ C(5 /|0)}, as needed. If the protocol fails, another player per- 
forms the sharing, and so forth. 

2. Computation Phase: For each gate g in the circuit, players apply the appropriate 



fault-tolerant circuit, as described in Section |l.3.3| . Only the measurement used in Degree 



Reduction is not transversal. To measure the ancilla: 

(a) Each player measures his component and broadcasts the result in the computational 
basis. 

(b) Let w be the received word. Players decode w (based on the scaled Reed-Solomon 
code W s ), and obtain the measurement result b. 

3. Output Phase: For the i th output wire: 

(a) All players send their share of the output wire to player i. 

(b) Player i applies the decoding operator for C and outputs the result. If decoding fails 
(this will occur only with exponentially small probability), player i outputs |0). 



Figure 2-9: Protocol |9] (Multi-party Quantum Computation) 
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Proof: Any state in Cq< can be written as a mixture of linear combinations of basis 
states Ej£\ip) (see Lemma [l]^). The works on fault-tolerant computing show that 
the above procedures work correctly on such basis states. More importantly, they 
produce no new entanglement: the only opportunity to do so would come from the 
interaction in the measurement step of Degree Reduction. However, the resulting 
leftover ancilla is independent of the data in the computation, and hence provides no 
new information or entanglement. □ 

Theorem 2.24. For any circuit U, Protocol |I] is a statistically secure real-world im- 
plementation of multi-party quantum computation (Protocol^) as long as t < n/6. 

Proof: The proof of this is by simulation, as before. The key observation is that 
when the simulator S is controlling the honest players, the adversary cannot tell the 
difference between the regular protocol and the following ideal-model simulation: 

1. S runs the input phase as in the protocol, using |0) as the inputs for honest players. 
In this phase, if any dealer is caught cheating, S sends "I am cheating" to the TTV 
on behalf of that player. 

2. S "swaps" the cheaters' inputs with bogus data |0), and sends the data to the 
TTV. That is, he applies the interpolation circuit to honest players' shares to get 
the various input systems Si (for i G C), and then runs the interpolation circuit 
backwards, with the state |0) replacing the original data. 

3. S now runs the computation protocol with the adversary on the bogus data. (Be- 
cause no information is revealed on the data, the adversary cannot tell this from 
the real protocol.) 

4. S receives the true computation results destined to cheating players from TTV. 

5. S "swaps" these back into the appropriate sharings, and sends all shares of the i th 
wire to player i (again, he does this only for i G C). 

The proof that this simulation succeeds follows straightforwardly from the security of 
the top-level sharing protocol and the previous discussion on fault-tolerant procedures. 
□ 
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Chapter 3 
Open Questions 



We conclude briefly with some open questions based on this research: 

• Perhaps the most obvious question, given the results of this thesis, is to determine 
the true threshold for multi-party quantum computing, i.e. is it possible to tolerate 
up to [(n — 1)/4J cheaters? We conjecture that it can indeed be done, but the 
techniques we use here are clearly not sufficient. 

One approach to this problem is to find a fault-tolerant Toffoli procedure for the 
code C s for n = 28 + 1, which tolerates t errors at any point in the computation. 
The best known procedure for that code is a straightforward generalization of 



Shor's procedure for binary CSS codes [Bho96| , [AB99|| . However, there is one point 



in that procedure at which at most one error can be tolerated. Such a procedure 
will fail when t = 8/2 errors can be placed adversarially. 

A more subtle question is whether or not it is possible to remove the error proba- 
bility from the protocols for verifiable quantum secret sharing. Given an error-free 
implementation of Ideal Secret Sharing, error-free multi-party computation is easy. 
However, attaining error-free VQSS seems difficult. Although we tried and failed 
to adapt the error-free classical techniques of Ben- Or, Goldwasser and Wigder- 
son |[BGW88|j , we conjecture that it is nonetheless possible to achieve error-free 
quantum computation. 

A potentially much more difficult question is what tasks are achievable when we 
allow cheating players to force the abortion of the protocol. That is, extend the 
ideal model so that the cheaters can, at any time, simply ask the trusted third 
party to stop the protocol entirely. In that setting VQSS becomes largely irrelevant 
since an essential aspect of VQSS is that the honest players be able to reconstruct 
the secret without the cheaters help. Thus, the bound of n/4 no longer seems hard; 
in fact, we conjecture some improvement is possible, possibly even up to tolerating 
any minority of cheating players. 
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Appendix A 



More on Neighborhoods of 
Quantum Codes 

Note that the notions Nb{C) and STb{C) make sense for any subspace C of 7i. On 
the one hand, we always have Nb(C) C ST b (C) since local operations do not affect 
the density matrix of other components. If we restrict our attention to pure states, 
then N B (C) and ST B (C) are in fact identical. Specifically, define: 

N p B ure (C) = G H : 3\<f>) G C, 3U unitary, acting only on H B 

such that = (I A <g> C/)|0)} 
5Tr e (c) = ||^ )GH;3 | 0)GC) Tr B (|V;)(^|) = Tr B (|0)(0|)} 

Proposition A.l. For any subspace C: N p B ure {C) = ST p B ure {C) 

Proof: We must only prove N B ure (C) D ST B ure (C), since the other inclusion is trivial. 
Take any state G ST B ure (C). Let \<j>) be the corresponding state in C and let p = 
Tr B (\ip){ip\) = Tr B (|0)(0|). We can write p = J2i Pi\ a i)( a i\ wi th Pi > 0, J2iPi = ^ 
and the vectors |aj) orthonormal. 

By the Schmidt decomposition, we know that we can write 

i 

with the vectors \bi) orthonormal. Similarly, there is some other set of orthonormal 
vectors \b'^) such that we can write 

i 

Now consider any unitary matrix U on 7i B which maps \b'^) to Such a matrix 
always exists since the sets of vectors are orthonormal. Then we have = (I a <S> 
C/b)|0) as desired. □ 
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This equality does not hold once we relax our definition and consider mixed states. 
Namely: 

Proposition A. 2. There exist subspaces C for which Nb(C) £ STb{C). 

Proof: Many quantum codes have this property, for an appropriate partition of the 
code word into parts A and B. Take C to be a quantum RS code with n = 28 + 1. 
Encode 1/2 of an EPR pair. Now get p by appending the other half of the EPR pair 
to the end of the codeword (say there is space left over in position n, for example). 
On one hand, p is clearly in ST B as long as B includes position n. However, it is not 
in Nb{C) since the only state "in" C which has the same trace as p on A is a mixed 
state. □ 

For the case of CSS codes, we can additionally define Cb = V B q ^ D T® n W B . Again, 
there is a trivial inclusion: STb(C) C C b . This inclusion also holds when we restrict 
our attention to pure states. However, the inclusion is strict, even for pure states: 

Proposition A. 3. There exist subspaces C for which STb(C) £ C B - 

Proof: Again, consider the quantum RS code with n = 28+1. Take A = {1, ...,8 + 1} 
and B = {n — 8 + 1, n}. Both V B and W B cover the entire space Z£, so in fact Cb 
is the entire Hilbert space. However, any state p in ST B {C) must yield p' ® I{i,...,s+x} 
when the interpolation operator is applied to the positions of p in A. Thus, not all 
states, pure or mixed, are in ST B (C). □ 

It should be noted that neither Nb(C) nor STb{C) are subspaces. Moreover, for 
CSS codes, Cb is the subspace generated by the vectors in Nb(C). 

Correspondence to an Idealized Experiment One interesting property of STb{C) 
is that it is exactly the set of states which will arise in an idealized experiment in 
which cheaters introduce errors which are entangled with the data. Specifically, allow 
the cheaters to choose an arbitrary joint state \ip) for two systems L and Aux (L is 
the logical data, Aux is auxiliary workspace). Now encode L using C, and allow the 
cheaters to apply any operator which affects only Aux and the components of the 
encoding contained in B. Finally, trace out Aux so that only the components of the 
(corrupted) codeword are left. 

Proposition A. 4. The set of possible states of the corrupted codeword system in the 
previous experiment is exactly STb{C). 

Proof: We can assume w.l.o.g. that the adversary provides a pure state as input, 
since we can always purify the state with an ancilla and have him simply ignore the 
ancilla. Now, we are in the situation of considering N B ^ UX (C), where C is the code 
consisting of C when restricted to the codeword positions (and no restrictions on the 
Aux). By Proposition |A.1| this is equal to ST^^^iC') . But we have ST B {C) = 



STb^^ ux {C), i.e. once we trace out everything but A, there is no difference between 
C and C. □ 
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